Student Privacy and Third-Party Apps:

Why Washington's Student Data Privacy Landscape is More Complex Than You Think

RCW 28A.320.126 – Student data and third-party service providers is often misunderstood. Here's a quick overview of what you need to know:

Quick Answer:

• RCW 28A.320.126 mandates emergency response systems, not broad student data privacy rules.
• The SUPER Act (RCW 28A.604) sets the core requirements for how third-party vendors handle student data.
• School districts must: Vet vendors, use compliant contracts, provide parental data access, and maintain security policies.
• Third-party vendors must: Be transparent about data collection, get consent for policy changes, ban targeted ads, and delete data on request.
• Other laws apply: Federal laws like FERPA and COPPA, plus Washington's My Health My Data Act, also govern student data.

The digital change of K-12 education offers incredible tools but creates a complex web of data privacy obligations. Washington State's laws are a patchwork, and the stakes for non-compliance are high, from data breaches to legal liability. A single phishing email can undermine all other compliance efforts.

This guide will break down what school districts and vendors must do to protect student data, clarify common points of confusion, and help you build a practical compliance strategy. Understanding how these legal pieces fit together is the first step toward protecting your students and your district.

Decoding Washington's Student Privacy Laws: RCW 28A.320.126 and the SUPER Act

Many assume RCW 28A.320.126 – Student data and third-party service providers is the main law governing how EdTech vendors handle student data. However, its primary focus is on emergency response systems in schools, not comprehensive data management by third-party vendors.

The core rules for student data protection are found in the Student User Privacy in Education Rights (SUPER) Act, codified under RCW 28A.604. Understanding the difference between these two laws is critical for compliance and preventing gaps in your data protection strategy.

The Limited Scope of RCW 28A.320.126

RCW 28A.320.126 mandates that school districts develop and maintain emergency response systems, such as panic buttons and alert systems that notify law enforcement. While these systems handle some data (e.g., student location during a crisis, school maps), the statute does not set broad rules for how third-party educational apps handle student grades, behavioral records, or learning profiles.

RCW 28A.320.126 is about emergency response technology, not comprehensive data privacy. For the framework governing EdTech vendors, you must turn to the Washington Student User Privacy in Education Rights (SUPER) Act.

The SUPER Act (RCW 28A.604): Core Rules for Student Data and Third-Party Service Providers

The SUPER Act (RCW 28A.604) contains the specific, enforceable requirements for third-party service providers handling student data.

Key definitions set the boundaries. A "school service" is any online tool designed for K-12 use that collects "student personal information," which is broadly defined as any data that can identify a student. The Act also bans "targeted advertising" based on student data but allows for adaptive learning technology.

Under RCW 28A.604.020, school service providers have several key obligations:

• Transparency: Providers must clearly explain what data they collect, how it's used, and with whom it's shared.
• Notice of Changes: Prominent notice must be given before any material changes are made to privacy policies.
• Data Access and Correction: Providers must help schools facilitate parent and student requests to access and correct their personal information.
• Prohibition on Commercial Use: Selling student data or using it to build marketing profiles is forbidden. Data can only be used for the contracted educational purpose.
• Subcontractor Compliance: Any subcontractors are also fully subject to these requirements.

Understanding the SUPER Act is non-negotiable for districts and EdTech vendors in Washington. For more on compliant data handling, see our resources on Data Processing.

Key Requirements for School Districts and Third-Party Vendors

Student data privacy is a shared responsibility between school districts and vendors. Proactive compliance is the foundation of trust. When districts establish robust data security policies and vendors honor their commitments, students stay protected.

School District Responsibilities Under Washington Law

As the gatekeepers of student information, school districts have several key responsibilities that begin before any contract is signed.

• Vetting and Monitoring Vendors: Thoroughly investigate a vendor's privacy and security practices before adoption and continue to monitor them for ongoing compliance.
• Contractual Requirements: Ensure every vendor contract explicitly addresses the privacy requirements of the SUPER Act (RCW 28A.604). Contracts must detail how data is collected, used, and protected; prohibit commercial use; and include provisions for data deletion. For guidance, see our resources on Purchasing Contracts.
• Providing Parental Notice: Keep parents informed about the technology tools their children use and the data being collected.
• Facilitating Data Access and Correction: Establish clear processes to handle parent and student requests to see or correct their data, as required by the SUPER Act.
• Maintaining Data Security Policies: Develop comprehensive policies for administrative, technical, and physical safeguards. This must include guidelines for data access, encryption, breach response, and, critically, staff training.

How vulnerable is your staff to phishing? Get a complimentary phishing audit at [https://www.cybernut.com/phishing-audit] to find out.

Obligations for EdTech Vendors Handling Student Data

EdTech vendors working with Washington schools have non-negotiable legal obligations under the SUPER Act (RCW 28A.604).

• Transparency: Provide clear, easy-to-understand information about data collection, use, and sharing. Prominently notify districts of any material changes to privacy policies.
• Data Security: Implement and maintain robust administrative, technical, and physical safeguards, including encryption and access controls, to protect student data.
• Data Deletion: Have protocols for the timely deletion of student data upon request or when it is no longer needed.
• Prohibition on Commercial Use: Do not use student data for targeted advertising, to build commercial profiles, or sell it to third parties. Data use is strictly limited to the educational purpose of the service.
• Subcontractor Compliance: Ensure any subcontractors who access student data adhere to the same strict privacy and security standards.

Fulfilling these duties builds trust and sustainable partnerships. For more on securing third-party data, read Beyond Firewalls: How to Secure Data Shared with Third-Party EdTech Vendors.

Navigating the Broader Privacy Landscape: FERPA, COPPA, and MHMDA

Washington's laws are part of a larger puzzle that includes federal regulations and other state requirements. Understanding how the SUPER Act, FERPA, COPPA, and Washington's My Health My Data Act (MHMDA) interact is essential for comprehensive compliance.

Federal Overlays: How FERPA and COPPA Set the Foundation

Federal laws provide a baseline of protection for student data.

The Family Educational Rights and Privacy Act (FERPA) protects the privacy of student education records. It gives parents rights to access, correct, and control the disclosure of this information. Under FERPA's "school official" exception, districts can share data with vendors performing institutional services, but only if the vendor uses the data for the authorized purpose and maintains confidentiality. For a deeper dive, see our guide: All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

The Children's Online Privacy Protection Act (COPPA) applies to online services directed at children under 13. It requires verifiable parental consent before collecting personal information. Schools can provide consent on behalf of parents for educational purposes, but they must ensure vendors use the data appropriately and limit collection to what is necessary.

Washington's My Health My Data Act (MHMDA): A New Hurdle for Schools?

Effective March 31, 2024, the My Health My Data Act (MHMDA) introduced new rules for "consumer health data," which is broadly defined to include information related to physical or mental health collected by many wellness and mental health apps.

Does MHMDA apply to student data? It depends. MHMDA exempts data already protected by FERPA. If student health information is part of an official education record, it is likely exempt. However, if a third-party app collects health data that does not become part of the student's formal education record, MHMDA's strict requirements could apply. For example, data from a meditation or nutrition app that stays within the app's ecosystem might be covered.

The implications are significant. MHMDA requires explicit, opt-in consent for data collection and includes a private right of action, allowing individuals to sue for violations with penalties up to $25,000 per violation. It also strictly prohibits geofencing around healthcare facilities.

Districts using any technology that collects health-related information must evaluate whether MHMDA applies. Work with vendors to understand how data is classified and stored. For official guidance, Read the Washington State AG FAQs on MHMDA.

Consequences and Best Practices for RCW 28A.320.126 – Student data and third-party service providers

Understanding Washington's privacy laws is only half the battle; implementing robust practices to mitigate risk is the other. Even the best technical safeguards can be undermined by human error. A holistic approach must address technology, policies, and people.

Potential Penalties for Non-Compliance

Failing to comply with student privacy laws carries serious consequences:

• Enforcement Actions: The Washington Attorney General can pursue violations under the state's Consumer Protection Act.
• Heavy Fines: MHMDA includes a private right of action, allowing individuals to sue for damages up to $25,000 per violation. A single breach could lead to devastating financial penalties.
• Legal Liability: Districts can be held liable for a vendor's data mishandling, especially if vetting or contractual protections were inadequate.
• Vendor Contract Termination: Non-compliant vendors risk losing school district contracts, a significant blow in the competitive EdTech market.
• Reputational Damage: A data breach can evaporate community trust, leading to long-term damage that is difficult to repair.

As detailed in Student Data Becomes Prime Target in K-12 Cyberattacks: Districts Rush to Tighten Access and Vendor Controls, the threat is real and growing.

Building a Human Firewall: The Critical Role of Staff Training

Your strongest defense isn't technology; it's your people. Administrative, technical, and physical safeguards are all essential, but a single employee clicking a malicious link can bypass them all.

This is why phishing awareness training is your first line of defense. Phishing is the most common entry point for cybercriminals, who exploit human psychology to gain access. Staff must be trained to recognize these sophisticated threats in real-time.

Effective security awareness requires ongoing training, not a one-time session. The best programs deliver engaging, bite-sized training throughout the year to build a security-conscious culture. Investing in a human firewall empowers your staff to be proactive defenders of student data.

Want to know where your vulnerabilities are? Get a complimentary phishing audit to see how your staff would respond to real-world phishing attempts.

For guidance on creating a complete security posture, explore our More info about a Data Security and Privacy Plan resources. Protecting student data is about equipping your people to be your strongest defense.

Frequently Asked Questions about Washington Student Data Privacy

Navigating Washington's student data privacy laws can be confusing. Here are answers to some common questions.

What is the main purpose of RCW 28A.320.126 – Student data and third-party service providers?

Despite its title, RCW 28A.320.126 is primarily focused on mandating emergency response systems in schools, such as panic buttons and alert technologies. While these systems involve data, this statute does not set the comprehensive rules for how EdTech vendors handle student data for educational purposes. Those core rules are found in the Washington Student User Privacy in Education Rights (SUPER) Act (RCW 28A.604).

How can parents access their child's data held by a third-party vendor?

Parents have the right to access and correct their child's data. The process should start by contacting the school district. Under the SUPER Act, districts are required to facilitate these requests with their vendors. The vendor must then work with the district to provide the requested access promptly.

Does the My Health My Data Act (MHMDA) apply to data already covered by FERPA?

Generally, no. MHMDA exempts data that is already part of a student's official education record protected by FERPA. However, MHMDA could apply to health data collected by third-party apps (e.g., wellness or mental health platforms) if that data is not integrated into the official student record. Because MHMDA has strict consent requirements and a private right of action with high penalties, districts must carefully evaluate any app that collects health-related information. For more, see the Washington State AG FAQs on MHMDA.

Protecting student data also means securing your systems. Identify your weak spots with a complimentary phishing audit.

Washington Student Privacy: Key Takeaways

Protecting student data in Washington requires a multi-layered strategy. While RCW 28A.320.126 focuses on emergency response systems, the SUPER Act (RCW 28A.604) provides the core rules for third-party vendors. These state laws work in tandem with federal regulations like FERPA, COPPA, and the new My Health My Data Act (MHMDA).

A successful strategy involves vetting vendors, enforcing strong contracts, and maintaining robust security policies. However, technology and policy alone are not enough. The most critical line of defense is your staff. A single click on a phishing email can bypass the most expensive security systems, making the human element the decisive factor in preventing breaches.

The stakes—financial penalties, legal liability, and reputational damage are too high to ignore. At CyberNut, we specialize in strengthening this human firewall. Our automated, gamified micro-trainings are designed for busy K-12 environments, changing staff into confident defenders of student data.

Ready to see where your vulnerabilities are? Get a complimentary phishing audit today at [https://www.cybernut.com/phishing-audit]. You'll get a clear picture of your current risk level and concrete steps to strengthen your defenses.

Protecting students is about building a secure digital future. Learn more about our resources and find how we can help make cybersecurity training simple and effective for your team.