What to Know About the Texas Student Privacy Act

Why Understanding the Texas Student Privacy Act is Critical for K-12 Schools

What to Know About the Texas Student Privacy Act (Ed Code §32.151) is that it protects student data used by educational websites, online services, and mobile apps. Passed in 2017 as House Bill 2087, the Act restricts how EdTech vendors use student information and grants parents significant rights over their children's data.

Key Provisions:

• Applies to: K-12 schools and their EdTech vendors.
• Protects: Student personally identifiable information (PII) like names, grades, test scores, and online activity.
• Restricts: Targeted advertising, creating non-educational student profiles, and selling student data.
• Parent Rights: Includes the right to review collected information and request data deletion.
• Enforcement: The Texas Attorney General can investigate violations and impose penalties.

The law defines an "operator" as a provider of an online platform used for school purposes. These operators must follow strict rules for handling "covered information"—any student data not publicly available.

Recent amendments have strengthened the law, requiring parental consent for more software and setting stricter standards for school devices. For IT directors, this means carefully vetting vendor contracts and ensuring cybersecurity training covers these requirements. The Act supplements federal FERPA protections by adding specific restrictions on the commercial use of student data.

Understanding the Core Mandates of the Texas Student Privacy Act (Ed Code §32.151)

The core of What to Know About the Texas Student Privacy Act (Ed Code §32.151) is House Bill 2087, which took effect on September 1, 2017. As K-12 education acceptd online services and mobile apps, legislators recognized the need for stronger data protection. The law's primary goal is to prevent the commercial exploitation of student information, ensuring that data collected for educational purposes is used only for education.

This digital fence around student data prevents a student's activity on an educational app from being used for marketing or tracking their browsing habits. For legal details, the Full text of the Texas Education Code Chapter 32 is available online.

Key Definitions You Need to Know

Understanding these terms makes the Act clearer:

• Operator: Any entity running a website, online service, or app with actual knowledge that its platform is designed, marketed, and used primarily for school purposes.
• Covered Information: Any personally identifiable information (PII) about a student that is not publicly available. This includes names, addresses, grades, discipline records, health information, and online activity like search history or location data.
• School Purpose: Activities directed by schools or that aid in school administration, which determines when the Act's protections apply.
• Targeted Advertising: Ads based on information collected from a student's online behavior or personal data. The Act prohibits this.
• Student Profile: A collection of student information compiled to create a comprehensive picture of a student. The Act restricts creating these profiles for non-educational purposes.

Prohibited Uses of Covered Information

The Act draws clear lines about what operators cannot do with student data:

• Targeted advertising: Operators cannot use covered information to serve targeted ads to students. The educational space must remain focused on learning, not commerce.
• Creating non-educational student profiles: Building profiles to market unrelated products or services is forbidden. Profiling is only allowed if it directly supports educational personalization.
• Selling or renting student data: This is prohibited, with very narrow exceptions, such as a company acquisition where the successor is bound by the same privacy rules.
• Unauthorized disclosure: Sharing data with third parties is restricted and requires proper authorization for legitimate educational reasons.

Permitted Uses and Disclosures

The Act allows for responsible data handling that supports education:

• Improving educational products: Companies can analyze anonymized usage patterns to make their products better.
• Legal or regulatory compliance: Data can be used or disclosed to comply with federal, state, or local laws, including lawful court orders.
• Protecting user safety: Disclosures are allowed to maintain the security and integrity of the platform or protect users from harm.
• Use by subcontractors: Subcontractors may handle data if they agree to the same or stricter privacy requirements.
• Furthering school purposes: Any use that directly supports educational goals is generally permitted, provided it doesn't violate other parts of the Act.

Requirements for School Districts and EdTech Providers

Compliance with the Texas Student Privacy Act is a team effort between schools and their EdTech partners. What to Know About the Texas Student Privacy Act (Ed Code §32.151) is that it requires an ongoing partnership to protect student data. School districts act as the primary guardians, while EdTech providers are trusted partners who must handle that data responsibly.

Responsibilities of School Districts

As data protectors, school districts have several key responsibilities:

• Vendor Contract Review: Districts must scrutinize contracts to ensure they specify how student data will be used, stored, and protected. Contracts must prohibit vendors from using data for targeted advertising, non-educational profiling, or selling it.
• Data Governance: Districts need clear policies defining who can access student data, for what purpose, and for how long. A solid data governance plan provides a roadmap for data management.
• Parental Notification: Schools must maintain open communication with families about what information is collected and how it is used, helping parents understand their rights under the Act.
• Data Deletion: Districts must have efficient systems to handle parent or district requests for data deletion. Operators have 60 days to comply with such requests.
• Cybersecurity Framework: Following laws like the SB 820 requirements, Texas schools must protect their digital infrastructure with security assessments, incident response plans, and staff training.

Obligations for Website and App Operators (Vendors)

EdTech vendors working with Texas schools must:

• Implement Reasonable Security Practices: Vendors need robust, industry-standard security measures to protect student data from unauthorized access, deletion, or modification.
• Delete Student Data Upon Request: When a district requests data removal, vendors have 60 days to comply, unless parents consent to retention.
• Maintain Data Protection: Student information must only be used for legitimate school purposes. Vendors cannot sell data, create profiles for ad targeting, or repurpose educational data for commercial gain.
• Facilitate Parental Access: Vendors must support schools in providing parents with access to their children's data upon request.
• Contract Compliance: Agreements must clearly reflect all the Act's requirements, forming the foundation of the school-vendor partnership.

How Recent Amendments Have Changed the Landscape

Texas lawmakers have worked to keep student privacy protections current with evolving technology. What to Know About the Texas Student Privacy Act (Ed Code §32.151) includes understanding that recent amendments have given parents more control and schools clearer guidance.

These changes reflect a demand for more transparency and control over the digital tools students use. The Texas Education Agency (TEA) now plays a more active role in setting standards, with a focus on minimizing data collection—if an app doesn't need certain information to function, it shouldn't collect it.

What to Know About the Texas Student Privacy Act (Ed Code §32.151) and New Consent Rules

HB 18 (2023) significantly strengthened parental rights regarding educational software.

• Informed Parental Consent: Schools now need specific parental consent for many software applications. Parents must be informed about what data each tool collects and how it will be handled.
• Exceptions for Core Curriculum: Software essential for core instruction that is directly managed by the school may be exempt, but transparency requirements still apply.
• District-Provided Devices: For school-issued devices, districts must work with parents on cybersecurity and online safety, including internet filtering and promoting safe digital practices at home.
• Transparency in Data Collection: Schools must clearly explain not just what data is collected, but why it is necessary for learning. This encourages all parties to be more thoughtful about data collection.

Stricter Standards for Electronic Devices and Software

The Texas Education Agency now sets clearer standards for educational technology, helping schools make safer decisions.

• Data Minimization Principles: The new standards push EdTech companies to justify every piece of student information they collect. If it's not essential for an educational purpose, it shouldn't be requested.
• Security Requirements for Software: The TEA has established more specific security requirements for how student data must be protected. This aligns with the broader need for strong cybersecurity in schools to prevent data breaches.

These stricter standards require both districts and vendors to improve their practices. Districts must be more selective with technology, and vendors must build privacy and security into their products from the start.

Comparing the Texas Student Privacy Act with FERPA

While the Family Educational Rights and Privacy Act (FERPA) is the federal cornerstone of student privacy, What to Know About the Texas Student Privacy Act (Ed Code §32.151) is that it builds upon these federal protections. The two laws work together to create a comprehensive shield for student data.

FERPA sets the basic rules for all schools receiving federal funds, while the Texas Act adds specific protections for the digital age, particularly regarding EdTech vendors.

The key difference is their focus: FERPA primarily regulates schools, while the Texas Act directly targets third-party vendors.

How the Texas Act Supplements Federal Law

The Texas Act fills gaps where federal law is less specific for the modern digital classroom.

• State-Level Specificity: The Act provides detailed definitions of "operators" and "covered information," offering clearer guidance than FERPA's broad strokes.
• Focus on EdTech Operators: The law holds the providers of digital platforms directly accountable for protecting student data, a crucial update from FERPA's paper-file era framework.
• Commercial Prohibitions: Most importantly, the Texas Act explicitly forbids practices like using student data for targeted advertising or selling it to data brokers—activities not directly addressed by FERPA.
• Data Security Requirements: The Act mandates that operators implement "reasonable security procedures and practices," a more explicit requirement than FERPA's. This is vital as K-12 Cybersecurity: Protecting Schools from Evolving Threats becomes a greater concern. For more on federal law, see the Federal FERPA guidelines.

What to Know About the Texas Student Privacy Act (Ed Code §32.151) and Directory Information

The Texas Act aligns with FERPA's concept of "directory information"—basic details like a student's name, address, and activities that schools can share without specific consent after providing an opt-out opportunity.

Since "covered information" under the Texas law excludes publicly available directory information, the Act's main prohibitions don't typically apply to it. However, the law reinforces the importance of parental opt-out rights and requires schools to be transparent about their directory information policies. This ensures a balance between operational needs and family privacy preferences.

Parental Rights, Enforcement, and Penalties

Empowering parents is a core principle of student privacy law. What to Know About the Texas Student Privacy Act (Ed Code §32.151) is that it gives parents enforceable rights over their child's educational data. Violations of these rights carry serious consequences.

Your Rights as a Parent or Guardian

As a parent or guardian in Texas, you have several key rights:

• Right to Review Student Data: You can inspect the "covered information" that your school district and its EdTech vendors have collected about your child.
• Requesting Data Deletion: You can ask for your child's information to be deleted. Operators generally have 60 days to comply with a district's request.
• Consent for Data Collection: Recent laws require your informed consent before your child can use many data-collecting software applications.
• Access to Vendor Information: Your school district must be transparent about the EdTech tools it uses and their privacy policies.
• Filing a Complaint: If you believe your child's rights have been violated, you can file a complaint with your school district, the Texas Education Agency (TEA), or the U.S. Department of Education. The TEA Parental and Student Privacy Rights page provides guidance on this process.

Penalties for Violating the Act

The Texas Student Privacy Act has significant enforcement power:

• Texas Attorney General Enforcement: The AG's office can investigate violations, seek court orders, and impose substantial civil penalties against non-compliant operators.
• Contractual Consequences: School districts can terminate contracts with vendors who violate the Act, which can be devastating to a company's business in Texas.
• Reputational Harm: A public privacy violation can destroy the trust that is essential for an EdTech company's success, making it difficult to maintain or secure new school partnerships.
• School District Accountability: While penalties primarily target operators, districts are also accountable for vetting vendors and implementing required cybersecurity measures, facing loss of community trust for failures.

These penalties ensure that all parties take their responsibility to protect student data seriously.

Conclusion

Understanding What to Know About the Texas Student Privacy Act (Ed Code §32.151) is about more than compliance; it's about fostering a safe digital environment for students to learn and thrive. The Act represents Texas's commitment to protecting student privacy, evolving from its 2017 foundation to meet the challenges of modern educational technology.

The key takeaways are clear: EdTech companies cannot use student data for commercial purposes like targeted advertising, parents have meaningful rights to control their children's information, and school districts must be proactive partners in this protection. The law powerfully supplements federal FERPA protections by specifically addressing the commercial exploitation of student data by third-party vendors.

For school districts, proactive compliance is essential for building trust and avoiding serious penalties. However, policies alone are not enough. Student data privacy and cybersecurity are inextricably linked. Strong privacy rules are meaningless if a simple phishing email can compromise your entire system.

This is why a comprehensive approach to digital security is crucial. At CyberNut, we understand the unique challenges K-12 schools face. Our automated, gamified training helps your staff recognize and avoid phishing attempts that could expose sensitive student data. Our approach is designed to be effective and engaging for busy educators, strengthening your security without adding to your staff's workload.

Are you confident your school's defenses can protect the student data you are legally required to safeguard? Don't wait for a breach to find your vulnerabilities.

Get a complimentary Phishing Audit for your school district to see how your team would handle real-world phishing attempts. You can also Learn more about cybersecurity training for schools to see how our custom approach can strengthen your overall security posture.