Washington Student Data Privacy (SUPER Act) Guide

Primary Law
Student User Privacy in Education Rights (SUPER) Act

Citation
RCW 28A.604 (notably 28A.604.020 through 28A.604.040)

Official Text
https://app.leg.wa.gov/RCW/default.aspx?cite=28A.604&full=true

Overview

Washington's SUPER Act regulates how school service providers collect, use, share, and secure student personal information when their services are used for K-12 school purposes. The law focuses on transparency (clear disclosures and notice of policy changes), limits on targeted advertising and certain secondary uses, and expectations for security and deletion practices.

For districts, the practical approach is to evaluate vendors in three areas: what student personal information is collected, how it is used and disclosed, and what security and deletion controls exist to reduce long-term risk.

Applicability and Scope

Washington's requirements apply to school services (websites, mobile applications, or online services) that are designed and marketed for K-12 school use, used at the direction of educators, and that collect, maintain, or use student personal information.

District teams typically treat the law as in-scope for:

• Learning platforms, classroom apps, and assessment tools used by students
• Tools that create accounts for students and store identifiers or student work
• Vendors that integrate with district systems or receive student roster data

Transparency and Notice Requirements

School service providers must provide clear, easy-to-understand information about the types of student personal information collected and how the information is used and shared. Providers must also give prominent notice before making material changes to privacy policies for school services.

Limits on Targeted Advertising and Secondary Use

Washington restricts the use or sharing of student personal information for targeted advertising to students. Districts should verify that vendors do not repurpose school-collected data for ad targeting, marketing, or non-school profiling.

District review commonly documents:

• Whether targeted advertising is prohibited when based on student use of the school service
• Whether student profiles are limited to school-authorized educational purposes
• Whether disclosures are limited to providing the service and supporting functionality

Security Program and Deletion Practices

Washington requires expectations around information security and deletion of student personal information. Districts should confirm vendors have an information security program aligned with the sensitivity of student data and that they can delete data when it is no longer needed or upon appropriate request.

How Can EdPrivacy Help Washington Schools

Washington compliance is easier when districts can quickly answer: what data does the tool touch, what are the allowed uses, and what controls exist for security, access, and deletion. EdPrivacy helps Washington schools centralize vendor documentation and approval decisions so these answers are consistent across many tools.

The platform helps districts:

• Maintain an up-to-date list of edtech tools and flag which ones collect student personal information
• Save vendor privacy disclosures, notices, and security documentation alongside district approval records
• Record conditions for approval (no targeted advertising, limited sharing, deletion expectations)
• Track policy updates and trigger re-review when vendor terms materially change

Summary

Washington districts should be prepared to:

• Review vendor disclosures and require clear notice of material privacy policy changes
• Confirm student personal information is not used or shared for targeted advertising
• Verify security and deletion controls for tools that store student data
• Maintain documentation that supports repeatable approvals and ongoing oversight

Washington's SUPER Act encourages districts to combine transparency, use limitations, and security controls into a practical vendor governance workflow.