Utah HB55 Takes Effect 7/1: What Districts Should Do in the Next 30 Days

 On July 1, anyone - a parent, a former employee, a competitor - can file a violation report that triggers a state-level investigation of one of your vendors. The audit will surface your contracts. Most Utah districts haven't planned for this. 

Two weeks ago, we walked through what Utah HB 55 actually does - and just as importantly, what it doesn't. (If you haven't read that one yet, start there. The gap argument is the foundation for everything in this post.)

Today is about implementation. The law takes effect July 1, 2026. That's roughly 30 days away. Here's what every Utah district leader should be doing between now and then - and the one provision in the bill that nobody is talking about, but probably should be.

What you'll get from this post:

✅ The three things that change operationally on July 1

✅ Who can now file a violation report against your vendors (it's broader than you think)

✅ What's likely already in your DPA, and what may not be

✅ A 30-day district readiness checklist you can actually run

✅ Why being audit-ready matters more than being compliance-ready

What changes on July 1?

Three things. All of them are in Section 53E-9-309 of Utah Code, as amended by HB 55.

1. New mandatory contract language.

Every new or renewed third-party contract with an education entity must include language describing the district's statutory duty to terminate the contract in the case of a privacy violation, and prohibiting any fee or financial liability for that termination. That's not optional; it's a contract-formation requirement. The next DPA renewal cycle that crosses your desk after July 1 needs to reflect this.

2. The 30-day discovery clock starts running.

When a district discovers a third-party contractor's unauthorized usage of student data in violation of FERPA, COPPA, or Utah's privacy chapter, the district has 30 days to formally notify the contractor. The vendor then has 30 days to remediate to the district's satisfaction and establish processes to prevent recurrence. If they don't, the district must terminate.

Worth noting: the bill says discovery, not incident. The clock starts when you learn about the violation, not when it happened. That distinction matters for how your incident response process needs to document what was known, when.

3. The State Board's reporting mechanism becomes operational.

This is the part nobody is covering. Under HB 55 Subsection (2)(c), any person may submit a report of a suspected violation directly to USBE's Student Data Privacy Team. The Team must conduct an initial credibility review, and if the report meets the standard, must initiate a compliance audit or investigation of the relevant third-party contractor.

This isn't entirely new - USBE's Student Data Privacy Team has been conducting investigations under Utah Code 53E-9-3 and Board Rule R277-487 for years. What's new is the formal mechanism, the broadened reporter universe, and the explicit requirement that USBE act on credible reports.

Who can file a violation report against your vendors?

Anyone. That's the literal answer. HB 55 uses the phrase "a person," which is unqualified.

In practice, that means:

• A parent whose child uses the vendor's product
• A current or former district employee
• A competing vendor
• A journalist
• A privacy advocacy organization
• A community member who reads about your district's vendor relationships in the news

The audit, if it happens, targets the vendor, not the district. That's an important distinction. But the audit will inevitably examine the contract between the vendor and your district, the data flows that contract authorized, and the district's own role in vendor oversight. Your DPA, your data inventory, and your incident response documentation all become visible to USBE through that process.

If your district's vendor management practices are clean and well-documented, an audit of one of your vendors is unlikely to create heartburn. If they aren't, an audit of one of your vendors is how you find out - at the worst possible time.

What's likely already in your DPA - and what may not be

Most Utah LEAs use the Utah Student Privacy Alliance (USPA) standardized DPA. That template is the workhorse of K-12 vendor contracting in this state, and the people maintaining it are watching HB 55 closely. By the time July 1 hits, expect the template to reflect the new statutory requirements.

That's the good news. The bad news? There are three parts.

Custom DPAs.

If your district has signed any custom DPA outside the USPA template - say, a vendor that insisted on its own paper, or a contract inherited from before USPA was widely adopted - those documents need to be walked against HB 55's required language individually. Look specifically for: (a) a clause acknowledging the district's statutory termination duty under Utah Code 53E-9-309(2)(a)(iii), and (b) a clause prohibiting any fee, damages, or financial liability tied to that termination.

Older USPA-template contracts.

Contracts signed under prior versions of the USPA template won't automatically include the post-HB-55 language. The law applies to new and renewed contracts after July 1 - but renewal cycles vary, and depending on when each of your active contracts renews, you may operate under the older language for months.

The implicit assumption that someone is watching.

Here's the part that worries us most. Most district contract management workflows assume someone is tracking which contracts use which template version and when each one renews. In practice, that knowledge usually lives in one person's head. If that person leaves, the institutional memory leaves with them. The HB 55 readiness window is a good forcing function to write it down.

The 30-day readiness checklist

Five things, in priority order. Walk through these between now and June 30.

1. Inventory active third-party contracts. Pull a list of every active DPA, MOU, or vendor agreement that touches student data. Note the contract value, the data categories involved, and the renewal date.
2. Identify which contracts use the USPA template versus a custom DPA. The USPA contracts can wait for the updated template; the custom DPAs need individual review.
3. For custom DPAs, flag any contract missing the HB 55 termination-duty and no-fee provisions. These need amendment language drafted before renewal.
4. Document your incident response process and explicitly name who owns the 30-day notice clock. If a violation surfaces, somebody has to start the clock and notify the vendor in writing within 30 days. Make that ownership explicit, not implicit.
5. Get current PenTest documentation on file. The attribution question we talked about in our last post hasn't gone away. If anything, HB 55's new reporting mechanism makes the attribution question more likely to be asked, by more people, sooner.

Why this matters more than just paperwork

Here's the through-line connecting the first post and this one: HB 55 is a procedural law. It tells districts and vendors what to do when an unauthorized usage violation is discovered. It doesn't tell you anything about who caused the incident in the first place.

That distinction - between procedural readiness and substantive defensibility - is where most district programs come up short. Procedural readiness means having the right paragraphs in your contracts and the right names on your incident response chart. Substantive defensibility means being able to prove, with documentation that pre-dates the incident, that your district did what it was supposed to do.

Procedural readiness is what HB 55 is asking for. Substantive defensibility is what an audit will reveal, one way or the other.

The good news:

The same documentation work that gives you substantive defensibility also makes procedural readiness mostly automatic.

A district that has...

• a current vendor inventory 

• recent PenTest documentation

• a named owner for the 30-day clock

• and an annual privacy compliance review process running cleanly

...is a district that doesn't have to scramble when an audit notification arrives.

So here's the offer

Loop + Ledger does professional security audits paired with vCISO support, specifically for K-12 districts, with former educators in C-suite roles. As far as we've found, we're the only firm doing exactly this combination. We PenTest districts the way we'd want our own kids' districts PenTested - practical, prioritized, and translated into language a school board will actually act on.

If you're staring at the 30-day window and not sure where to start, [book a 20-minute consult here.] No slides, no pitch deck. Just a conversation about what readiness looks like for a district your size.

Already done some of this work and want a second set of eyes on your DPA portfolio? [Grab the DPA Gap-Check Worksheet.] Run it against your active contracts; let us know what you find.

Keep reading

The Policy Breakdown is a Scoop and Ledger series translating state edtech privacy and AI legislation for K-12 leaders. Other posts you might want:

• Utah HB 55 Is Now Law. Here's What It Protects, What It Doesn't, and What Districts Should Do Before July 1.
• [Coming June 16] California AB 1159: The Bill That Bans Training AI on Student Data
• [Internal link - PenTest service page]
• [Internal link - vCISO service page]

Loop + Ledger is the only K-12-specialized cybersecurity firm we've found that pairs professional PenTesting with vCISO support with former educators at the C-suite level. We work with districts to build the kind of defensible security posture that holds up when it matters.

Working through your HB 55 readiness? Found something tricky in your DPA portfolio? Drop a note in the comments or [reply to this post]. We read everything.