Protecting K–12 Data

Why Washington's Data Privacy Landscape Matters for K-12 Schools

The Washington Consumer Data Privacy Act (Drafted, referenced as guideline), though not yet law, is a key benchmark in the state's push for consumer privacy. For K-12 schools, understanding this drafted act—along with existing laws like RCW 28A.320.126 and the My Health My Data Act—is vital for a comprehensive data privacy strategy.

Quick Answer: What You Need to Know

• RCW 28A.320.126 is Washington's core student privacy law, mandating specific vendor contracts and data security policies.
• The My Health My Data Act (MHMDA) took effect in 2024, with broad rules for handling "consumer health data."
• The Washington Consumer Data Privacy Act has been proposed multiple times and serves as a guideline for future privacy expectations.
• All three frameworks emphasize consumer rights, opt-in consent, data minimization, and security.
• Schools must comply with FERPA (federal), RCW 28A.320.126 (state), and potentially MHMDA for health-related data.

Washington's data privacy landscape is a complex patchwork. The state Constitution recognizes privacy as a fundamental right, but unlike states with comprehensive laws, Washington has passed specific protections for student and health data while broader bills have stalled.

For K-12 IT directors, this means managing student information systems, wellness apps, and EdTech tools that may fall under different legal requirements. Some are covered by FERPA, others might trigger MHMDA, and the drafted Washington Consumer Data Privacy Act signals the legislature's future direction.

The stakes are high. MHMDA includes a private right of action, allowing individuals to sue directly for violations, with penalties reaching up to $25,000 per violation. This article breaks down all three frameworks to help you build a unified compliance strategy.

Understanding RCW 28A.320.126: Washington's Core Student Privacy Law

For K-12 education in Washington, RCW 28A.320.126 is the foundation for student data privacy. This law creates clear guardrails for how schools and their vendors handle sensitive student information.

At its core, RCW 28A.320.126 focuses specifically on K-12 student data protection, covering grades, disciplinary records, health information, and assessment results. It recognizes this data is sensitive and requires special protection.

Given the many systems your district uses from student information systems to EdTech products vendor contract obligations are critical. RCW 28A.320.126 requires specific contract language before a third-party provider can access student data. These clauses must detail how vendors collect, use, and store that information, ensuring they follow the same privacy rules as your district. Our guide on Contract Clauses Every School Should Demand in EdTech Agreements can help you get this right.

The law also reinforces parental rights and access. Parents and guardians can review their child's educational records and request corrections, which builds trust and transparency.

Most importantly, RCW 28A.320.126 mandates that every school district establish data security policy requirements. This is a living document outlining your administrative, technical, and physical safeguards. Your policy must address data access controls, encryption, storage, breach response, and staff training. A solid policy influences purchasing, onboarding, and incident response. Our Data Security and Privacy Plan resource can help you build a comprehensive one.

This law works with federal FERPA requirements but adds state-specific teeth. The Washington Student User Privacy in Education Rights SUPER Act builds on this foundation with even more detail. While the Washington Consumer Data Privacy Act (Drafted, referenced as guideline) hasn't passed, RCW 28A.320.126 shows that Washington already has a strong baseline for protecting K-12 student data.

The My Health My Data Act: A New Privacy Hurdle for Schools?

Washington's My Health My Data Act (MHMDA) has changed the privacy landscape. While not written for K-12 schools, its broad definition of "consumer health data" could impact how your district handles certain student health information.

MHMDA became law on April 27, 2023, with compliance required by March 31, 2024, for most organizations. You can read more about the Landmark My Health My Data Act signed into law. The law was designed to fill gaps left by HIPAA, which covers traditional healthcare providers. But what about wellness apps, mental health platforms, or fitness trackers used by schools?

If your school collects or processes health-related data not covered by FERPA or HIPAA, MHMDA might apply. This is especially true when working with third-party health and wellness vendors. Your Data Security and Privacy Plan must now account for this.

What is 'Consumer Health Data' Under MHMDA?

The definition is remarkably broad: any personal information linked to a consumer's past, present, or future health status. This includes:

• Biometric data (e.g., fingerprint or facial recognition scanners).
• Location data that could indicate someone is accessing health services.
• Reproductive or gender-affirming care information.
• Inferred health status from data like sleep or eating habits tracked by an app.

Crucially, MHMDA applies to data not covered by HIPAA or FERPA. This could include data from wellness apps, mental health support platforms, or student well-being surveys. For more on this, see our guide on Sensitive Data Definition and Types.

Key Business Requirements: Consent, Policies, and Security

MHMDA imposes strict responsibilities on organizations handling consumer health data.

• Consumer Health Data Privacy Policy: You must maintain a clear, standalone policy detailing the categories of data collected, the purpose, sources, and any third parties it's shared with. The Full text of House Bill 1155 outlines these requirements.
• Consent: You must obtain explicit, opt-in consent before collecting or sharing consumer health data. Pre-checked boxes or passive agreement do not count.
• Data Security: You must establish reasonable safeguards to protect the confidentiality and integrity of the data. This is critical when using third-party vendors, as detailed in our guide on Beyond Firewalls: How to Secure Data Shared with Third-Party EdTech Vendors.
• Access Control: Restrict data access to employees and vendors who have a legitimate need.

Consumer Rights and Responding to Requests

MHMDA grants Washington residents significant rights, mirroring those in the drafted Washington Consumer Data Privacy Act (Drafted, referenced as guideline).

Individuals have the right to confirm data collection, access their data, delete it, and withdraw consent. You must respond to deletion requests within 30 days and access requests within 45 days. If you deny a request, you must explain why and provide an appeal process. Your Privacy procedures must be transparent and well-documented.

Penalties and a Powerful Private Right of Action

MHMDA has serious teeth. Violations are considered an unfair act under the state's Consumer Protection Act, enforceable by the Attorney General.

Crucially, MHMDA includes a private right of action, allowing individuals to sue organizations directly for violations. They can seek actual damages, attorney's fees, and courts can award treble damages up to $25,000 per violation. As the statute notes, Consumers may bring a civil action for redress. For schools, this makes compliance non-negotiable due to the substantial financial and reputational risks.

The Washington Consumer Data Privacy Act (Drafted, referenced as guideline): What Schools Should Know

While MHMDA is law, it's important to remember the Washington Consumer Data Privacy Act (Drafted, referenced as guideline) or Washington Privacy Act (WPA). Though this bill never passed, it reveals the state's direction on data protection and helps K-12 schools prepare for what's next.

The WPA was first introduced in 2019 and passed the state Senate multiple times but stalled in the House, often over disagreements about enforcement and a private right of action. Inspired by frameworks like GDPR and CCPA, the bill became a key reference for privacy discussions in the state. You can read an overview of its history in this Washington Privacy Act (WPA) overview. For context on how other states have handled similar legislation, see our guide on the Virginia Consumer Data Protection Act for K12 Districts.

Why the Drafted Washington Consumer Data Privacy Act Still Matters

Even though it didn't pass, the WPA remains relevant. It reveals legislative intent, showing a serious commitment to comprehensive privacy protections. It also serves as a baseline for future laws; legislators will likely use its framework as a starting point. Furthermore, the WPA's concepts heavily influenced MHMDA's development, suggesting a piecemeal approach to privacy regulation. Finally, it demonstrates the state's strong privacy focus, signaling that more regulation is likely.

Key Concepts from the Washington Consumer Data Privacy Act (Drafted, referenced as guideline)

The WPA contained several important concepts that will likely shape future legislation:

• Controller and Processor Roles: It defined controllers (like a school district) who determine how data is processed, and processors (like an EdTech vendor) who handle data on their behalf. This clarifies responsibility.

• Broad Consumer Rights: It proposed rights to access, delete, and correct personal data, as well as the right to data portability.

• Data Protection Assessments: For high-risk activities like processing sensitive data, the WPA would have required formal evaluations to identify and mitigate privacy risks.

• Opt-Out Rights: It included rights for consumers to opt out of data sales and targeted advertising.

For schools, understanding these concepts helps build systems that are proactive and prepared for future privacy laws.

Creating a Unified Compliance Strategy for Washington K-12 Schools

Navigating Washington's privacy laws requires a unified strategy that integrates RCW 28A.320.126, MHMDA, and the principles of the Washington Consumer Data Privacy Act (Drafted, referenced as guideline). This is about building trust with your community, not just checking compliance boxes.

A proactive approach is key. This means integrating requirements into one coherent strategy and implementing strong vendor risk management. Regular Cybersecurity Audits: Strengthening K-12 Schools Against Cyber Threats can help you stay ahead of risks from the many EdTech tools you use.

Step 1: Identify and Map Your Data

You can't protect what you don't know you have. Start by using data findy tools to scan your systems and locate where personal information resides. You might be surprised by what you find in old databases or shadow IT.

Next, classify your data. Distinguish between general student data (FERPA/RCW 28A.320.126) and potential "consumer health data" (MHMDA). Remember MHMDA's definition is broad—a wellness app or fitness tracker might qualify.

Finally, map your data flows. Create a visual chart showing how data moves within your district and to third-party vendors. This is fundamental to effective Data Processing.

Step 2: Review Policies and Consent Mechanisms

Ensure your policies align with legal requirements. Update your privacy policies to reflect RCW 28A.320.126. If you handle consumer health data, you must create a separate, standalone MHMDA policy that is clear and conspicuous.

Then, audit every consent mechanism. MHMDA requires explicit, opt-in consent—pre-checked boxes or passive agreement are invalid. Review every form and banner to ensure you are obtaining a clear, affirmative act of consent. Use simple language to build trust with families.

Step 3: Prepare for Consumer Rights Requests

Individuals have the right to access, correct, or delete their data. Your school must be ready to respond within tight deadlines.

• Establish a clear intake process: Create a simple way for parents or students to submit requests, like a dedicated email or online form.
• Train your staff on response procedures: Ensure staff understand the request types and legal deadlines (e.g., 30 days for deletion under MHMDA). Our guide on Incident Response Planning in K12 can help structure time-sensitive responses.
• Use consent management platforms: These tools can help track opt-in and opt-out preferences across your systems.
• Develop a secure identity verification process: Confirm you are responding to the correct person before sharing or deleting data.

Step 4: Train Your Staff and Vet Your Vendors

Compliance is a team sport. Every staff member plays a role.

• Understand MHMDA's definitions: Know if your district is a "regulated entity" or "small business" to determine your exact compliance obligations.
• Understand the exemptions: Data covered by FERPA and HIPAA is exempt from MHMDA, but health data collected outside these frameworks may not be. This nuance is where schools can get tripped up.
• Vet your vendors: Ensure every vendor contract includes robust processor obligations, requiring them to protect data to the same standard you do. Our guide on Contract Clauses Every School Should Demand in EdTech Agreements is a valuable resource.
• Invest in ongoing staff training: Regular, engaging Cybersecurity Training: Empowering K-12 Staff Against Cyber Threats is essential. Staff must understand what constitutes sensitive data, why consent matters, and how to handle requests.

To see where your district currently stands, consider getting a free phishing audit for your school district.

Frequently Asked Questions about Washington's Data Privacy Laws

Here are answers to common questions K-12 schools have about Washington's data privacy laws.

Does the My Health My Data Act apply to student data already covered by FERPA?

Generally, no. MHMDA exempts data already protected by federal laws like the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA). This means traditional student health records maintained by a school nurse or other educational records containing health information are typically exempt.

However, the exemption only applies if the data meets the definition of a FERPA-protected education record. If your school uses a third-party wellness app or mental health platform, and the data collected doesn't become part of an official education record, MHMDA could apply. This is the kind of consumer health data MHMDA was designed to cover. The Washington State AG FAQs on MHMDA offer more clarification.

What is the biggest difference between MHMDA and other state privacy laws?

MHMDA is one of the strictest state privacy laws for health data due to several key features:

• Powerful private right of action: Unlike many state laws, MHMDA allows individuals to sue organizations directly for violations, with potential for treble damages up to $25,000 per violation.
• Extremely broad definition of consumer health data: The law covers inferred health status, biometric data, and precise location information, going far beyond traditional medical records.
• No entity-level thresholds: MHMDA applies to any entity that does business in Washington and handles consumer health data, regardless of revenue or data volume. This impacts smaller organizations and EdTech vendors.
• Strict opt-in consent model: It requires explicit, affirmative consent before collecting or sharing consumer health data, a higher standard than the opt-out models in many other laws.

What is a "geofence" and why is it banned near health care services under MHMDA?

A geofence is a virtual boundary around a real-world location. When a mobile device crosses this boundary, it can trigger an action, like collecting data or sending a notification.

MHMDA strictly prohibits implementing geofences around facilities that provide in-person health care services. This ban is designed to prevent organizations from identifying, tracking, or targeting consumers seeking sensitive health services, such as reproductive or gender-affirming care.

This provision is an absolute prohibition with no exceptions, even with consent. For schools, this is relevant if you have on-campus health centers or use apps that track student location. You must ensure you are not inadvertently violating this ban if students are near health facilities.

Unifying Privacy: Protecting Washington's K-12 Data

Washington's data privacy landscape is a complex mix of student protections, health data regulations, and guiding legislative principles. For K-12 schools, this requires a proactive, multi-layered compliance strategy that addresses RCW 28A.320.126, the My Health My Data Act, and the concepts in the Washington Consumer Data Privacy Act (Drafted, referenced as guideline).

The requirements are detailed and the consequences for non-compliance are significant. But protecting student data is fundamentally about building trust. When parents and students feel their information is secure, it fosters a safe learning environment and reinforces your district's reputation as a responsible steward of sensitive data.

Robust data privacy begins with strong cybersecurity practices. Your policies are only as strong as the people implementing them. If staff can't spot phishing emails or accidentally expose data, your district remains at risk. The human element is your most critical line of defense.

At CyberNut, we specialize in providing custom, engaging cybersecurity training for K-12 schools. Our low-touch, gamified micro-trainings make phishing awareness and cybersecurity fundamentals simple and effective. We help build a human firewall, turning your staff into active defenders against digital threats.

Is your school district prepared for evolving cyber threats? Are you confident your staff can spot a phishing email before it becomes a data breach?

Get a free phishing audit for your school district today! Our audit will reveal your vulnerabilities and show you how to close those gaps.

To dive deeper into K-12 cybersecurity best practices, explore our other resources.

Explore more cybersecurity resources