Texas Legislature Passes Student Privacy Act

House Bill No. 2087, known as the Student Privacy Act, is one of many bills the Texas Legislature passed this year focusing on data privacy and cybersecurity. Our legislators are recognizing that the way we do business and the way we teach have changed with technological advancements and that privacy and security must be a focus going forward.

The Student Privacy Act protects students’ personally identifiable information used in connection with websites, online services, online applications, or mobile applications for a school purpose. The Act takes effect September 1, 2017. It is directed at “operators” meaning the operators of websites, online services, online applications, or mobile applications who have actual knowledge that the platform is used primarily for a school purpose and was designed and marketed for a school purpose. (Tex. Educ. Code § 32.151(3)).

Covered Information

“Covered information” means personally identifiable information (“PII”) or information linked to PII that is not publicly available and is:

  1. created or provided to an operator by a student or student’s parent in the course of the student’s or parent’s use of the operator’s website, online service, online application, or mobile application for a school purpose;
  2. created by or provided to an operator by a school district or campus employee for a school purpose; or
  3. gathered by an operator through the operation of the website, online service, online application, or mobile application for a school purpose and personally identifies a student. (Tex. Educ. Code § 32.151).

The Act provides examples of this type of information, including discipline records, health records, biometric information, disabilities, food purchases, and geolocation information. (Id.)


The Act prohibits the operator of a website, online service, online application, or mobile application from engaging in targeted advertising if the target of the advertising is based on information the operator acquired through the use of those platforms for a school purpose. (Tex. Educ. Code § 32.152(1)). Operators are also prohibited from using information to create a profile about a student, unless the profile is created for a school purpose. (Tex. Educ. Code § 32.152(2)). Operators also cannot sell or rent any student’s covered information. (Tex. Educ. § 32.152(3)).

Allowed Uses and Disclosures

The Act sets forth many allowed uses and disclosures of covered information, which primarily focus on educational uses and improvement of the educational resources. Disclosures are allowed, for example, to further a school purpose, ensure legal compliance, protect against liability, respond to or participate in the judicial process, and protect the safety or integrity of users or the platform itself. (Tex. Educ. Code § 32.153). Additionally, an operator can use covered information to improve educational products or demonstrate the effectiveness of the products if the information is not associated with an identified student. (Tex. Educ. Code § 32.154).

Requires Reasonable Security Measures

The operator must put in place and maintain reasonable security procedures and practices designed to protect covered information from unauthorized access, deletion, use, modification, or disclosure. (Tex. Educ. Code § 32.155).

Record Deletion

If a school district requests deletion of a student’s covered information and the information is under the district’s control, the operator must delete the information no later than sixty days after the date of the request. (Tex. Educ. Code § 32.156). The operator does not have to delete the information if the student or the student’s parent consents to the operator continuing to maintain the covered information. (Id.).

If you have questions about the Student Privacy Act or any other data privacy or cybersecurity issues, please contact Jackson Walker’s Privacy Team.

Meet Sara

Sara Hollan Chelette is a commercial litigator who counsels clients in partnership and trust disputes, breach of contract lawsuits, and various data privacy matters. She serves as Co-Chair of Jackson Walker’s Cybersecurity Litigation practice. Sara has helped clients take proactive steps to prevent cyber incidents and be in the best position to respond in the event they arise. She has assisted clients in preparing incident response plans, entering into strategic vendor partnerships, and procuring cyber liability insurance. Sara has also advised clients on nationwide data security incidents and counseled clients through incident response. She frequently publishes articles on emerging data privacy issues to educate clients. Sara also has experience counseling clients on the EU General Data Protection Regulation.