What Washington Schools Should Know About the

Why Student Data Privacy in Washington Schools Matters

The Washington Student User Privacy in Education Rights (SUPER) Act is a state law enacted in 2015 to protect K-12 student data from misuse by educational technology vendors. Taking effect on July 1, 2016, it places direct legal obligations on school service providers, not just schools.

Quick Overview of the SUPER Act:

• What it does: Prohibits vendors from selling student data, using it for targeted advertising, or creating commercial student profiles.
• Who it protects: All K-12 students in Washington State.
• Who must comply: School service providers (websites, apps, and online services).
• Key requirements: Comprehensive security, data deletion upon request, and transparent privacy policies.

As a K-12 IT Director, you're on the front line of protecting student data. Your district uses numerous EdTech tools, each collecting student information and each required to comply with the SUPER Act.

This law is part of a nationwide trend to strengthen student privacy. Unlike FERPA, which primarily holds schools responsible, the SUPER Act holds EdTech vendors directly accountable. When a vendor has a breach or misuses data, your students and your district's reputation are at risk. The SUPER Act provides the legal backing to demand better from your technology partners.

Quick look at Washington Student User Privacy in Education Rights (SUPER) Act:

• All About FERPA: The Federal Student Privacy Law That Still Matters in 2025
• All About New York’s Education Law § 2-d: Student Data Privacy, Explained
• California’s AB 1584: What Schools Must Know About Digital Contracts with EdTech Vendors

Understanding the SUPER Act's Framework

For K-12 IT directors in Washington, the SUPER Act is a critical piece of legislation governing vendor contracts and data privacy. Let's break down what it means for your work.

What is the Washington Student User Privacy in Education Rights (SUPER) Act?

The Washington Student User Privacy in Education Rights (SUPER) Act was created to address the growing flow of student data to third-party companies. Enacted in 2015, its primary goal is to protect K-12 student personal information from misuse by EdTech vendors.

What makes the SUPER Act different is that it places direct legal obligations on the vendors themselves, not just on schools. Before this law, if a vendor mishandled data, the school often faced the legal consequences. Now, the companies that operate school services have their own rules to follow, covering all K-12 students in Washington State.

For the exact legal language, you can review the official Definitions under the SUPER Act.

Key Definitions Under the Act

Four key terms define the Act's scope:

• School Service: A website, app, or online service designed for K-12 schools, used at the direction of school staff, that collects student personal information. It excludes general audience services.
• School Service Provider: Any entity that operates a school service.
• Student Personal Information: Any information collected through a school service that personally identifies a student or is linked to their identity. This includes names, assignment history, quiz scores, and behavioral data.
• Targeted Advertising: Selecting ads based on a student's online behavior or personal information. The Act prohibits this but allows adaptive learning and personalized educational features.

How SUPER Supplements Federal Law like FERPA

While the Family Educational Rights and Privacy Act (FERPA) is still vital, it works differently than the SUPER Act. FERPA primarily regulates schools that receive federal funding, holding the school accountable for privacy violations.

This school-focused approach was not designed for today's cloud-based environment, where dozens of vendors handle student data. The Washington Student User Privacy in Education Rights (SUPER) Act fills this gap by creating direct liability for vendors. Companies operating school services must comply with Washington's rules, regardless of their contract terms.

Think of it as a two-layer defense: FERPA provides institutional-level protections, while SUPER provides state-level protections that hold your EdTech partners directly accountable. This gives you more leverage to ensure vendors take data privacy seriously.

For a comprehensive look at how FERPA works, check out our guide: All About FERPA: The Federal Student Privacy Law That Still Matters in 2025.

Core Obligations Under the Washington Student User Privacy in Education Rights (SUPER) Act

The Washington Student User Privacy in Education Rights (SUPER) Act imposes powerful mandates on school service providers to protect student data. Here’s what these companies must do.

Prohibitions on Data Use: Advertising and Profiling

The SUPER Act draws a hard line against the commercial exploitation of student data.

• No targeted advertising to students. Providers are prohibited from using or sharing student personal information for targeted advertising. This keeps the learning environment free from commercial manipulation. The law does, however, permit adaptive learning and other personalized educational features.
• No commercial profiling of students. Providers cannot create personal profiles of students for non-educational, commercial purposes. A student's learning patterns should inform their education, not become a commodity.
• No selling student data. The Act includes a straightforward ban on selling student personal information. The only narrow exception is for mergers or acquisitions, where the acquiring company must continue to comply with all SUPER Act provisions.

Security Program and Data Breach Requirements

The SUPER Act mandates robust security measures. School service providers must maintain a comprehensive information security program designed to protect the security, privacy, and integrity of student personal information. This program must include:

• Administrative safeguards: Policies, procedures, and training for personnel on secure data handling.
• Technological safeguards: Encryption, firewalls, intrusion detection, and access controls to protect data from unauthorized access.
• Physical safeguards: Measures to protect physical access to systems and facilities where data is stored.

While the SUPER Act mandates these programs, specific data breach notification procedures are typically defined by other state laws and in Data Privacy Agreements (DPAs) between schools and providers. These agreements outline the provider's duties in the event of a breach.

For more on protecting your school's digital assets, explore our resources on Cybersecurity for Educational Institutions. You can also review the legal requirements here: Comprehensive information security program—Deletion of student personal information.

To assess your district's vulnerability to common attacks, get a complimentary phishing audit.

Transparency, Consent, and Access Rights

The SUPER Act empowers parents and students with rights regarding their data.

Providers must offer clear information about what data they collect and how it's used. They must also provide prominent notice before making material changes to their privacy policies. This transparency allows schools and families to make informed decisions.

Parents and students have the right to access and request corrections to their personal information. Providers must facilitate this process, either directly or through the school.

Finally, consent is required for using student data in a manner not authorized by the school or inconsistent with the provider's privacy policy. This ensures data handling remains a transparent process built on clarity and respect.

Data Lifecycle Management: Use, Deletion, and Exceptions

The Washington Student User Privacy in Education Rights (SUPER) Act provides clear rules for managing student data from its collection to its deletion, ensuring it is handled carefully throughout its lifecycle.

What Student Information is Protected?

The SUPER Act protects a broad category of data called "student personal information." This includes:

• Personally Identifiable Information (PII): Data that directly identifies a student, such as a name, address, or student ID number.
• Linked Information: Any other data that is connected to a student's identity, like quiz scores, login times, or behavioral data.
• Student-Generated Content: Essays, projects, or discussion board posts created by a student within a school service.

This comprehensive definition prevents companies from de-identifying data for commercial use if it can still be linked back to an individual student.

Authorized Purposes for Data Collection and Use

The SUPER Act's guiding principle is that student data should serve educational, not commercial, purposes. Data collection and use are permitted when authorized by the educational institution or teacher or with the explicit consent of the student or parent.

The Act specifically allows data to be used for beneficial purposes, including:

• Adaptive learning or personalized education.
• Maintaining, developing, or improving the school service.
• Recommending educational or employment opportunities.
• Fulfilling a student's request for their own information or feedback.

The key distinction is intent. Using data to help a student learn is authorized; using it to sell products is prohibited.

Procedures for Data Deletion

A powerful provision of the SUPER Act is the requirement for data deletion. School service providers must delete student personal information within a reasonable timeframe upon request from the educational institution.

This gives schools control over the data lifecycle, ensuring that information from graduated students or discontinued services doesn't remain on corporate servers indefinitely.

Exceptions to this rule include:

• Consent for retention is obtained from the student or parent.
• Another educational institution requests retention (e.g., upon a student transfer).

The Act also clarifies that students have the right to download, export, or otherwise maintain their own student-created content. This ensures students retain ownership of their work.

Navigating Compliance: Allowances and Limitations

The Washington Student User Privacy in Education Rights (SUPER) Act sets firm boundaries but is not designed to be a roadblock to innovation. It includes clear allowances that permit educational technology to be used responsibly and effectively.

Specific Allowances for EdTech Innovation

The SUPER Act encourages innovation that directly benefits students. It specifically allows data to be used for:

• Adaptive learning and personalized education: A math program can adjust difficulty levels, or a reading app can recommend books based on a student's skill level.
• Service improvement: Providers can analyze usage data to fix bugs and improve platform features.
• Educational or employment recommendations: Career exploration tools can suggest pathways based on a student's interests.
• Responding to student requests: Providers can use a student's data to fulfill their request for information or feedback.

These allowances ensure that privacy protection and educational innovation can work hand in hand.

What the SUPER Act Does Not Apply To

To focus its protections, the Act does not cover certain services. Key exemptions include:

• General audience websites and services not designed and marketed for K-12 use.
• Internet service providers that only provide connectivity.
• General-purpose app marketplaces.

Additionally, the Act does not prevent students from downloading or maintaining their own data, nor does it prohibit marketing educational products to parents, as long as it is not based on data obtained through a school service.

Implications of the Washington Student User Privacy in Education Rights (SUPER) Act for EdTech

For EdTech vendors, the SUPER Act raises the bar for data privacy.

• Direct Liability: Unlike FERPA, SUPER places legal responsibility directly on vendors for non-compliance. This creates a powerful incentive to prioritize privacy.
• Data Privacy Agreements (DPAs): These contracts are critical for outlining how student data will be collected, used, secured, and deleted. They create clarity and accountability for both schools and vendors.
• Contractual and Subcontractor Compliance: Vendor contracts must reflect SUPER's requirements. This responsibility extends to any subcontractors, creating a chain of accountability that protects student data at every step.

Vendors must now operate with robust data governance, transparent policies, and rigorous security. This shared responsibility is more important than ever as digital threats evolve. To learn more, read our insights on Cybersecurity Risks: Protecting K-12 Schools from Evolving Threats. You can also get a complimentary phishing audit for your school district to identify vulnerabilities.

Frequently Asked Questions about the SUPER Act

Here are concise answers to common questions about the Washington Student User Privacy in Education Rights (SUPER) Act.

Can school service providers use student data for advertising?

No. The Washington Student User Privacy in Education Rights (SUPER) Act explicitly prohibits using student personal information for targeted advertising. The law makes a clear distinction between prohibited commercial advertising and allowed educational uses, such as adaptive learning or personalized instruction.

What are the security requirements for vendors under the SUPER Act?

Vendors must maintain a comprehensive information security program designed to protect the security, privacy, and integrity of student data. This program must include reasonable administrative, technological, and physical safeguards to prevent unauthorized access, use, or disclosure.

How does the SUPER Act handle data deletion?

The Washington Student User Privacy in Education Rights (SUPER) Act requires school service providers to delete student personal information within a reasonable period upon request from the school. This gives educational institutions control over the data lifecycle. Exceptions exist if a student or parent consents to retention or if the data is needed for a transfer to another school. The Act also ensures students can download or keep their own work.

Conclusion: Strengthening Student Privacy in Washington

The Washington Student User Privacy in Education Rights (SUPER) Act is a landmark law that promises our students a protected digital learning journey. By placing direct, enforceable obligations on EdTech vendors, it creates a vital safety net. The Act bans selling student data and using it for targeted advertising, requires comprehensive security, and empowers schools with data deletion rights, all while allowing for beneficial educational innovation.

For K-12 IT directors and administrators, understanding the SUPER Act is about more than compliance—it's about upholding a responsibility to protect students. However, strong laws are only part of the solution. Human error remains a significant vulnerability, and a single phishing email can bypass the best technical defenses if staff aren't prepared.

At CyberNut, we specialize in turning your staff into your strongest line of defense. Our gamified, automated micro-trainings are designed for the unique needs of K-12 schools, making cybersecurity training engaging and effective without overwhelming your team.

The SUPER Act gives you the legal framework to demand better from vendors. Now is the time to ensure your own team is equally prepared.

Want to see how your school stacks up against real-world phishing threats? Get a complimentary phishing audit for your school district and find where your vulnerabilities lie before attackers do.

Ready to build a comprehensive cybersecurity culture in your district? Explore our cybersecurity resources for K-12 schools to learn how CyberNut can help protect your students, staff, and data with training that actually works.