GLOBAL
TDPSA Compliance for Texas Schools: Key Points and Walla Forms Application Cases
Yuvin Kim
September 8, 2025
GLOBAL
TDPSA Compliance for Texas Schools: Key Points and Walla Forms Application Cases
Yuvin Kim
September 8, 2025
For educational institutions in Texas, protecting student data is a paramount duty. While the Family Educational Rights and Privacy Act (FERPA) has long been the primary compliance guide, the Texas Data Privacy and Security Act (TDPSA), now in full effect, introduces new and critical considerations.
A common misconception is that FERPA provides a complete shield from state-level privacy laws. While the TDPSA does exempt data that is already governed by FERPA, schools and universities handle a vast amount of personal data that falls outside of FERPA's strict scope. This is where TDPSA compliance becomes essential.
This guide outlines the key TDPSA points Texas educational institutions must know and provides practical application cases using a secure platform like Walla Forms.
1. Understanding the FERPA vs. TDPSA Landscape
Your first step is to know which law applies to which dataset.
FERPA Applies: It generally covers "education records"—data directly related to a student that is maintained by the educational institution (e.g., grades, transcripts, disciplinary records).
TDPSA Applies: It covers personal data that is not considered an "education record" under FERPA. This often includes:
Prospective student data collected for marketing and admissions.
Alumni and donor data used for fundraising and engagement.
Data from visitors to the school's public website (e.g., newsletter sign-ups).
Data collected for non-curricular activities open to the public (e.g., summer camps, public events).
2. Key TDPSA Compliance Points for Schools
For all data that falls under the TDPSA's scope, institutions must focus on these key requirements:
Data of a "Known Child" is Sensitive Data: The TDPSA classifies any personal data collected from an individual known to be under 13 years of age as "sensitive data." This has a major implication.
Verifiable Parental Consent is Mandatory: To process this sensitive data, institutions must obtain verifiable parental consent before collection, in line with the federal Children's Online Privacy Protection Act (COPPA). This is a strict "opt-in" requirement.
Consumer Rights for Non-FERPA Data: For your alumni, donors, and prospective student databases, you must be prepared to honor their TDPSA rights, including the right to access, delete, and opt out of the "sale" of their data or targeted advertising.
Data Protection Assessments (DPAs) are Required: Processing children's data or using alumni data for certain types of targeted fundraising are high-risk activities that require a formal DPA to be conducted and documented.
Practical Application Cases with Walla Forms
Implementing these rules requires more than just policy; it requires the right tools. Here’s how a secure, compliant platform like Walla can be applied in real-world scenarios.
Case 1: The Summer Camp Registration Form
Scenario: Your school is hosting a summer science camp open to the community. The online registration form will collect names, ages, and allergy information (sensitive data) from children, including some under 13. This data is not a FERPA "education record."
Walla Forms Solution:
Create a secure registration form on the Walla platform.
The form includes a mandatory, standalone checkbox to capture auditable parental consent for collecting a child's data, as required by the TDPSA and COPPA.
All submitted data is protected by end-to-end encryption.
Set an automated retention rule in Walla to securely delete the registration data 30 days after the camp concludes, fulfilling the data minimization principle.
Case 2: The Alumni Fundraising Campaign
Scenario: Your university wants to launch a targeted fundraising campaign, which involves analyzing alumni data to identify potential major donors. This constitutes "profiling" and potentially a "sale" of data if working with third-party fundraising consultants.
Walla Forms Solution:
Manage your alumni database within Walla's secure, centralized platform.
In all fundraising emails, include a clear and conspicuous link to a Walla Form titled "My Privacy Choices."
On this form, alumni can easily exercise their right to opt-out of targeted communications or the "sale" of their data. Walla tracks these preferences automatically, ensuring you honor their choices and maintain a clean, compliant marketing list.
Case 3: Responding to an Alumnus's Deletion Request
Scenario: An alumnus who is not an active donor requests that the university delete all of their contact and engagement data that is not part of their permanent academic transcript (the FERPA record).
Walla Forms Solution:
The request is received and logged.
Because all non-FERPA alumni data is managed centrally in Walla, an administrator can quickly locate the individual's records.
The data is securely deleted according to the request. The entire action is automatically recorded in Walla's immutable audit trail, providing concrete proof that the request was fulfilled in a timely and compliant manner.
Conclusion
For Texas educational institutions, navigating data privacy in 2025 requires a dual strategy: continue to adhere to FERPA for core education records, and implement a robust TDPSA compliance program for everything else.
This is not possible with scattered spreadsheets and generic tools. A modern, secure data governance platform like Walla is no longer optional—it is essential for protecting your community and your institution's reputation.
For educational institutions in Texas, protecting student data is a paramount duty. While the Family Educational Rights and Privacy Act (FERPA) has long been the primary compliance guide, the Texas Data Privacy and Security Act (TDPSA), now in full effect, introduces new and critical considerations.
A common misconception is that FERPA provides a complete shield from state-level privacy laws. While the TDPSA does exempt data that is already governed by FERPA, schools and universities handle a vast amount of personal data that falls outside of FERPA's strict scope. This is where TDPSA compliance becomes essential.
This guide outlines the key TDPSA points Texas educational institutions must know and provides practical application cases using a secure platform like Walla Forms.
1. Understanding the FERPA vs. TDPSA Landscape
Your first step is to know which law applies to which dataset.
FERPA Applies: It generally covers "education records"—data directly related to a student that is maintained by the educational institution (e.g., grades, transcripts, disciplinary records).
TDPSA Applies: It covers personal data that is not considered an "education record" under FERPA. This often includes:
Prospective student data collected for marketing and admissions.
Alumni and donor data used for fundraising and engagement.
Data from visitors to the school's public website (e.g., newsletter sign-ups).
Data collected for non-curricular activities open to the public (e.g., summer camps, public events).
2. Key TDPSA Compliance Points for Schools
For all data that falls under the TDPSA's scope, institutions must focus on these key requirements:
Data of a "Known Child" is Sensitive Data: The TDPSA classifies any personal data collected from an individual known to be under 13 years of age as "sensitive data." This has a major implication.
Verifiable Parental Consent is Mandatory: To process this sensitive data, institutions must obtain verifiable parental consent before collection, in line with the federal Children's Online Privacy Protection Act (COPPA). This is a strict "opt-in" requirement.
Consumer Rights for Non-FERPA Data: For your alumni, donors, and prospective student databases, you must be prepared to honor their TDPSA rights, including the right to access, delete, and opt out of the "sale" of their data or targeted advertising.
Data Protection Assessments (DPAs) are Required: Processing children's data or using alumni data for certain types of targeted fundraising are high-risk activities that require a formal DPA to be conducted and documented.
Practical Application Cases with Walla Forms
Implementing these rules requires more than just policy; it requires the right tools. Here’s how a secure, compliant platform like Walla can be applied in real-world scenarios.
Case 1: The Summer Camp Registration Form
Scenario: Your school is hosting a summer science camp open to the community. The online registration form will collect names, ages, and allergy information (sensitive data) from children, including some under 13. This data is not a FERPA "education record."
Walla Forms Solution:
Create a secure registration form on the Walla platform.
The form includes a mandatory, standalone checkbox to capture auditable parental consent for collecting a child's data, as required by the TDPSA and COPPA.
All submitted data is protected by end-to-end encryption.
Set an automated retention rule in Walla to securely delete the registration data 30 days after the camp concludes, fulfilling the data minimization principle.
Case 2: The Alumni Fundraising Campaign
Scenario: Your university wants to launch a targeted fundraising campaign, which involves analyzing alumni data to identify potential major donors. This constitutes "profiling" and potentially a "sale" of data if working with third-party fundraising consultants.
Walla Forms Solution:
Manage your alumni database within Walla's secure, centralized platform.
In all fundraising emails, include a clear and conspicuous link to a Walla Form titled "My Privacy Choices."
On this form, alumni can easily exercise their right to opt-out of targeted communications or the "sale" of their data. Walla tracks these preferences automatically, ensuring you honor their choices and maintain a clean, compliant marketing list.
Case 3: Responding to an Alumnus's Deletion Request
Scenario: An alumnus who is not an active donor requests that the university delete all of their contact and engagement data that is not part of their permanent academic transcript (the FERPA record).
Walla Forms Solution:
The request is received and logged.
Because all non-FERPA alumni data is managed centrally in Walla, an administrator can quickly locate the individual's records.
The data is securely deleted according to the request. The entire action is automatically recorded in Walla's immutable audit trail, providing concrete proof that the request was fulfilled in a timely and compliant manner.
Conclusion
For Texas educational institutions, navigating data privacy in 2025 requires a dual strategy: continue to adhere to FERPA for core education records, and implement a robust TDPSA compliance program for everything else.
This is not possible with scattered spreadsheets and generic tools. A modern, secure data governance platform like Walla is no longer optional—it is essential for protecting your community and your institution's reputation.
For educational institutions in Texas, protecting student data is a paramount duty. While the Family Educational Rights and Privacy Act (FERPA) has long been the primary compliance guide, the Texas Data Privacy and Security Act (TDPSA), now in full effect, introduces new and critical considerations.
A common misconception is that FERPA provides a complete shield from state-level privacy laws. While the TDPSA does exempt data that is already governed by FERPA, schools and universities handle a vast amount of personal data that falls outside of FERPA's strict scope. This is where TDPSA compliance becomes essential.
This guide outlines the key TDPSA points Texas educational institutions must know and provides practical application cases using a secure platform like Walla Forms.
1. Understanding the FERPA vs. TDPSA Landscape
Your first step is to know which law applies to which dataset.
FERPA Applies: It generally covers "education records"—data directly related to a student that is maintained by the educational institution (e.g., grades, transcripts, disciplinary records).
TDPSA Applies: It covers personal data that is not considered an "education record" under FERPA. This often includes:
Prospective student data collected for marketing and admissions.
Alumni and donor data used for fundraising and engagement.
Data from visitors to the school's public website (e.g., newsletter sign-ups).
Data collected for non-curricular activities open to the public (e.g., summer camps, public events).
2. Key TDPSA Compliance Points for Schools
For all data that falls under the TDPSA's scope, institutions must focus on these key requirements:
Data of a "Known Child" is Sensitive Data: The TDPSA classifies any personal data collected from an individual known to be under 13 years of age as "sensitive data." This has a major implication.
Verifiable Parental Consent is Mandatory: To process this sensitive data, institutions must obtain verifiable parental consent before collection, in line with the federal Children's Online Privacy Protection Act (COPPA). This is a strict "opt-in" requirement.
Consumer Rights for Non-FERPA Data: For your alumni, donors, and prospective student databases, you must be prepared to honor their TDPSA rights, including the right to access, delete, and opt out of the "sale" of their data or targeted advertising.
Data Protection Assessments (DPAs) are Required: Processing children's data or using alumni data for certain types of targeted fundraising are high-risk activities that require a formal DPA to be conducted and documented.
Practical Application Cases with Walla Forms
Implementing these rules requires more than just policy; it requires the right tools. Here’s how a secure, compliant platform like Walla can be applied in real-world scenarios.
Case 1: The Summer Camp Registration Form
Scenario: Your school is hosting a summer science camp open to the community. The online registration form will collect names, ages, and allergy information (sensitive data) from children, including some under 13. This data is not a FERPA "education record."
Walla Forms Solution:
Create a secure registration form on the Walla platform.
The form includes a mandatory, standalone checkbox to capture auditable parental consent for collecting a child's data, as required by the TDPSA and COPPA.
All submitted data is protected by end-to-end encryption.
Set an automated retention rule in Walla to securely delete the registration data 30 days after the camp concludes, fulfilling the data minimization principle.
Case 2: The Alumni Fundraising Campaign
Scenario: Your university wants to launch a targeted fundraising campaign, which involves analyzing alumni data to identify potential major donors. This constitutes "profiling" and potentially a "sale" of data if working with third-party fundraising consultants.
Walla Forms Solution:
Manage your alumni database within Walla's secure, centralized platform.
In all fundraising emails, include a clear and conspicuous link to a Walla Form titled "My Privacy Choices."
On this form, alumni can easily exercise their right to opt-out of targeted communications or the "sale" of their data. Walla tracks these preferences automatically, ensuring you honor their choices and maintain a clean, compliant marketing list.
Case 3: Responding to an Alumnus's Deletion Request
Scenario: An alumnus who is not an active donor requests that the university delete all of their contact and engagement data that is not part of their permanent academic transcript (the FERPA record).
Walla Forms Solution:
The request is received and logged.
Because all non-FERPA alumni data is managed centrally in Walla, an administrator can quickly locate the individual's records.
The data is securely deleted according to the request. The entire action is automatically recorded in Walla's immutable audit trail, providing concrete proof that the request was fulfilled in a timely and compliant manner.
Conclusion
For Texas educational institutions, navigating data privacy in 2025 requires a dual strategy: continue to adhere to FERPA for core education records, and implement a robust TDPSA compliance program for everything else.
This is not possible with scattered spreadsheets and generic tools. A modern, secure data governance platform like Walla is no longer optional—it is essential for protecting your community and your institution's reputation.
Continue Reading
