New Utah Study Shows Widespread Sharing by Vendors of Student Data in Violation of State law and the DPA Contract

On August 25, 2025, the Utah Board of Education and Brigham Young University published a report that studied the data traffic of 100 EdTech vendors who provide services to Utah school districts. Included in the report were some of the largest EdTech vendors in the state. The report concluded that 36% of these companies were sending student data to third party advertising companies, while 52% were collecting data not authorized by the applicable Data Privacy Agreements. The report noted that there was a correlation of data misuse based on the fee structure. If the service was free or “basic,” the data was more likely to be misused. If the service was “premium” and paid for by the district, the incidence of misuse was less. Users were not notified that the amount of data protection would vary based on fee structure.  

The most commonly shared data element were student UUIDs, Universal Unique Identifiers, which help identify students and are used by advertisers to conduct online profiling and behavioral advertising. These practices are clearly prohibited by applicable data privacy agreements and state law. While the study was restricted to Utah, most of the involved companies do business throughout the United States. There is therefore reason to believe that these practices are being replicated in other states. F3 is making efforts to respond to this misuse on a contractual, regulatory, and statutory basis. It is hoped that similar studies will be conducted in California. We will keep you apprised of these efforts.