Washington Student Data Privacy Legal Compliance Guide

The following chart provides a brief overview of the laws of the state of Washington addressing privacy and security of student and teacher data, and the corresponding provisions of Microsoft’s standard operating documents that demonstrate compliance with those laws and regulations.

As an entity that provides online services, Microsoft is a “school service provider” under Washington law.  Under RCW § 28A.604.020(3), school service providers shall facilitate access to and correction of student personal information by students or their parent or guardian either directly or through the relevant educational institution or teacher.

Microsoft’s standard Online Services Data Protection Addendum (“DPA”) addresses the requirements imposed on operators by Washington’s statutory framework.  The DPA sets forth Microsoft’s standard obligations with respect to the processing and security of customer data and personal data in connection with Microsoft’s provision of online services. 

The reference chart below briefly identifies those provisions of Washington law that are applicable to operators such as Microsoft, and the relevant provision(s) from Microsoft’s DPA that addresses Microsoft’s compliance with that requirement.

Washington Law ProvisionCompliant Microsoft Provision(s)
RCW § 28A.604.020(1)
Disclosure of the types of student personal information collected and used
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
RCW § 28A.604.020(2)
Notice of material changes to privacy policies
Microsoft Online Services Data Protection Addendum -> Notices
RCW § 28A.604.030(1)
Use of student personal information only for purposes authorized by the relevant educational institution or teacher, or with the consent of the student or the student’s parent or guardian
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
RCW § 28A.604.030(2)
Restriction on sale of student personal information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> California Consumer Privacy Act (CCPA)
RCW § 28A.604.030(3)
Targeted advertising based on student personal information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
RCW § 28A.604.030(4)
Restriction on creating a student personal profile
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services
RCW § 28A.604.030(5)
Requirement to obtain consent before using student personal information in a manner that is materially inconsistent with the school service provider’s privacy policy or school contract for the applicable school service in effect at the time of collection
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing to Provide Customer the Online Services

Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Nature of Data Processing; Ownership -> Processing for Microsoft’s Legitimate Business Operations
RCW § 28A.604.040(1)
Security procedures and practices
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Security -> Security Practices and Policies

See also Microsoft Online Services Data Protection Addendum -> Appendix A – Security Measures
RCW § 28A.604.040(2)
Deletion of covered information
Microsoft Online Services Data Protection Addendum -> Data Protection Terms -> Data Retention and Deletion