One important thing to think about for privacy that I suspect students won't is that MAC addresses have internal structure. Depending on whether the assigning company has MA-L (formerly OUI), MA-M, or MA-S prefixes, the first 24, 28 or 36 bits of the address merely identify the assigner, and as long as assignment is dense, companies are allowed to add structure in the remaining bits.

So, if you divide the address into pieces without considering the patterns, you could end up in a place where (e.g.) the server is actually sending a piece that corresponds to "all owners of an iPhone 11", or "all owners of a Samsung Galaxy S10 5G", and the client is mapping out potentially high-value targets for you to steal from.

Worse, those patterns change over time - when I first looked at all this, MA-L was all there was, and it was called an OUI. If your splitting took (say) 1st octet, 3rd octet and 4th octet from the server, the introduction of MA-S means that you're now allowing the server to query for groups of 256 MA-S owners at a time, instead of groups of 65536 devices from up to 256 assignees.

This is a really challenging thing to get right, and you need lots of context to avoid privacy issues.