| 1 | 1 | | 1.1 A bill for an act |
|---|
| 2 | 2 | | 1.2 relating to government data practices; requiring public postsecondary institutions |
|---|
| 3 | 3 | | 1.3 to keep certain student information private; requiring consent before collecting |
|---|
| 4 | 4 | | 1.4 student location data; amending Minnesota Statutes 2024, section 13.32, subdivision |
|---|
| 5 | 5 | | 1.5 5; proposing coding for new law in Minnesota Statutes, chapter 135A. |
|---|
| 6 | 6 | | 1.6BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: |
|---|
| 7 | 7 | | 1.7 Section 1. Minnesota Statutes 2024, section 13.32, subdivision 5, is amended to read: |
|---|
| 8 | 8 | | 1.8 Subd. 5.Directory information.(a) Educational data designated as directory information |
|---|
| 9 | 9 | | 1.9is public data on individuals to the extent required under federal law. Directory information |
|---|
| 10 | 10 | | 1.10must be designated pursuant to the provisions of: |
|---|
| 11 | 11 | | 1.11 (1) this subdivision; and |
|---|
| 12 | 12 | | 1.12 (2) United States Code, title 20, section 1232g, and Code of Federal Regulations, title |
|---|
| 13 | 13 | | 1.1334, section 99.37, which were in effect on January 3, 2012. |
|---|
| 14 | 14 | | 1.14 (b) When conducting the directory information designation and notice process required |
|---|
| 15 | 15 | | 1.15by federal law, an educational agency or institution shall give parents and students notice |
|---|
| 16 | 16 | | 1.16of the right to refuse to let the agency or institution designate specified data about the student |
|---|
| 17 | 17 | | 1.17as directory information. This notice may be given by any means reasonably likely to inform |
|---|
| 18 | 18 | | 1.18the parents and students of the right. |
|---|
| 19 | 19 | | 1.19 (c) An educational agency or institution may not designate a student's home address, |
|---|
| 20 | 20 | | 1.20telephone number, email address, or other personal contact information as directory |
|---|
| 21 | 21 | | 1.21information under this subdivision. This paragraph does not apply to a postsecondary |
|---|
| 22 | 22 | | 1.22institution. |
|---|
| 23 | 23 | | 1Section 1. |
|---|
| 24 | 24 | | 25-01187 as introduced01/14/25 REVISOR VH/ES |
|---|
| 25 | 25 | | SENATE |
|---|
| 26 | 26 | | STATE OF MINNESOTA |
|---|
| 27 | 27 | | S.F. No. 710NINETY-FOURTH SESSION |
|---|
| 28 | 28 | | (SENATE AUTHORS: LUCERO) |
|---|
| 29 | 29 | | OFFICIAL STATUSD-PGDATE |
|---|
| 30 | 30 | | Introduction and first reading01/27/2025 |
|---|
| 31 | 31 | | Referred to Higher Education 2.1 (d) When requested, educational agencies or institutions must share personal student |
|---|
| 32 | 32 | | 2.2contact information and directory information, whether public or private, with the Minnesota |
|---|
| 33 | 33 | | 2.3Department of Education, as required for federal reporting purposes. |
|---|
| 34 | 34 | | 2.4 (e) When requested, educational agencies or institutions may share personal student |
|---|
| 35 | 35 | | 2.5contact information and directory information for students served in special education with |
|---|
| 36 | 36 | | 2.6postsecondary transition planning and services under section 125A.08, paragraph (b), clause |
|---|
| 37 | 37 | | 2.7(1), whether public or private, with the Department of Employment and Economic |
|---|
| 38 | 38 | | 2.8Development, as required for coordination of services to students with disabilities under |
|---|
| 39 | 39 | | 2.9sections 125A.08, paragraph (b), clause (1); 125A.023; and 125A.027. |
|---|
| 40 | 40 | | 2.10 (f) A public postsecondary institution must maintain documentation of a request for |
|---|
| 41 | 41 | | 2.11directory information on 100 students or more for four years from the date of the request. |
|---|
| 42 | 42 | | 2.12A public postsecondary institution's directory information policy must not permit an |
|---|
| 43 | 43 | | 2.13individual's email address, physical address, telephone number, or identification card |
|---|
| 44 | 44 | | 2.14photograph to be publicly disclosed. A student whose directory information has been |
|---|
| 45 | 45 | | 2.15requested must be allowed to review the documentation maintained by the institution |
|---|
| 46 | 46 | | 2.16regarding that request. |
|---|
| 47 | 47 | | 2.17 Sec. 2. [135A.146] STUDENT LOCATION DATA. |
|---|
| 48 | 48 | | 2.18 Subdivision 1.Definition."Technology provider" means a person who: |
|---|
| 49 | 49 | | 2.19 (1) contracts with a public or private postsecondary educational institution to provide |
|---|
| 50 | 50 | | 2.20technological devices for student use or to provide access to a software or online application; |
|---|
| 51 | 51 | | 2.21and |
|---|
| 52 | 52 | | 2.22 (2) creates, receives, or maintains location data pursuant or incidental to a contract with |
|---|
| 53 | 53 | | 2.23a public or private postsecondary educational institution. |
|---|
| 54 | 54 | | 2.24 Subd. 2.Consent.(a) A public or private postsecondary educational institution must |
|---|
| 55 | 55 | | 2.25not collect data on a student's location without the student consenting to having location |
|---|
| 56 | 56 | | 2.26data collected. A public or private postsecondary educational institution must not require a |
|---|
| 57 | 57 | | 2.27student's consent to location data collection as a condition of: |
|---|
| 58 | 58 | | 2.28 (1) enrolling in the institution or any program or class; |
|---|
| 59 | 59 | | 2.29 (2) receiving a scholarship or other financial aid award; or |
|---|
| 60 | 60 | | 2.30 (3) entering into a dining contract, housing contract, or any other agreement for the |
|---|
| 61 | 61 | | 2.31provision of a basic university service, including connecting to campus Wi-Fi. |
|---|
| 62 | 62 | | 2Sec. 2. |
|---|
| 63 | 63 | | 25-01187 as introduced01/14/25 REVISOR VH/ES 3.1 (b) A student who gives consent to having location data collected may revoke that consent |
|---|
| 64 | 64 | | 3.2at any time. |
|---|
| 65 | 65 | | 3.3 Subd. 3.Notice.(a) Within 30 days of the start of each school year, a public or private |
|---|
| 66 | 66 | | 3.4postsecondary educational institution must give students notice, by United States mail, |
|---|
| 67 | 67 | | 3.5email, or other direct form of communication, of any technology provider contract gathering |
|---|
| 68 | 68 | | 3.6a student's location data. The notice must: |
|---|
| 69 | 69 | | 3.7 (1) be written in plain language; |
|---|
| 70 | 70 | | 3.8 (2) identify each technology provider collecting location data; |
|---|
| 71 | 71 | | 3.9 (3) identify the location data gathered by the technology provider contract; |
|---|
| 72 | 72 | | 3.10 (4) include information about the consent required in subdivision 2, including the right |
|---|
| 73 | 73 | | 3.11to revoke consent; and |
|---|
| 74 | 74 | | 3.12 (5) include information about how to access a copy of the contract in accordance with |
|---|
| 75 | 75 | | 3.13paragraph (b). |
|---|
| 76 | 76 | | 3.14 (b) A public or private postsecondary educational institution must publish a complete |
|---|
| 77 | 77 | | 3.15copy of any contract with a technology provider on the institution's website for the duration |
|---|
| 78 | 78 | | 3.16of the contract. |
|---|
| 79 | 79 | | 3.17 Subd. 4.Location data.(a) A technology provider contracting with a public |
|---|
| 80 | 80 | | 3.18postsecondary institution is subject to the provisions of section 13.05, subdivision 11. An |
|---|
| 81 | 81 | | 3.19assignee or delegate that creates, receives, or maintains location data is subject to the same |
|---|
| 82 | 82 | | 3.20restrictions and obligations under this section as the technology provider. |
|---|
| 83 | 83 | | 3.21 (b) Location data created, received, or maintained by a technology provider pursuant or |
|---|
| 84 | 84 | | 3.22incidental to a contract with a public or private postsecondary educational institution are |
|---|
| 85 | 85 | | 3.23not the technology provider's property. |
|---|
| 86 | 86 | | 3.24 (c) If location data maintained by the technology provider are subject to a breach of the |
|---|
| 87 | 87 | | 3.25security of the data, as defined in section 13.055, the technology provider must, following |
|---|
| 88 | 88 | | 3.26discovery of the breach, disclose to the public postsecondary educational institution all |
|---|
| 89 | 89 | | 3.27information necessary to fulfill the requirements of section 13.055. |
|---|
| 90 | 90 | | 3.28 (d) Within 30 days of the expiration of the contract, unless renewal of the contract is |
|---|
| 91 | 91 | | 3.29reasonably anticipated, a technology provider must destroy or return to the appropriate |
|---|
| 92 | 92 | | 3.30public or private postsecondary educational institution all location data created, received, |
|---|
| 93 | 93 | | 3.31or maintained pursuant or incidental to the contract. |
|---|
| 94 | 94 | | 3.32 (e) A technology provider must not: |
|---|
| 95 | 95 | | 3Sec. 2. |
|---|
| 96 | 96 | | 25-01187 as introduced01/14/25 REVISOR VH/ES 4.1 (1) sell, share, or disseminate location data, except as provided by this section or as part |
|---|
| 97 | 97 | | 4.2of a valid delegation or assignment of its contract with a public or private postsecondary |
|---|
| 98 | 98 | | 4.3educational institution; or |
|---|
| 99 | 99 | | 4.4 (2) use location data for any commercial purpose, including but not limited to marketing |
|---|
| 100 | 100 | | 4.5or advertising to a student or parent. |
|---|
| 101 | 101 | | 4.6 Subd. 5.Procedures.(a) A technology provider must establish written procedures to |
|---|
| 102 | 102 | | 4.7ensure appropriate security safeguards are in place for location data. A technology provider's |
|---|
| 103 | 103 | | 4.8written procedures must require that: |
|---|
| 104 | 104 | | 4.9 (1) only authorized employees or contractors can access the location data; |
|---|
| 105 | 105 | | 4.10 (2) a person is authorized to access location data only if access is necessary to fulfill |
|---|
| 106 | 106 | | 4.11official duties; and |
|---|
| 107 | 107 | | 4.12 (3) all actions in which location data are entered, updated, accessed, shared, or |
|---|
| 108 | 108 | | 4.13disseminated are recorded in a log of use that includes the identity of the person interacting |
|---|
| 109 | 109 | | 4.14with the data and what action was performed. Information recorded in the log of use must |
|---|
| 110 | 110 | | 4.15be retained for at least one year. |
|---|
| 111 | 111 | | 4.16 (b) A technology provider's written procedures establishing security safeguards for |
|---|
| 112 | 112 | | 4.17location data are public data, unless classified as not public under any other applicable law. |
|---|
| 113 | 113 | | 4.18 EFFECTIVE DATE.This section is effective July 1, 2025. |
|---|
| 114 | 114 | | 4Sec. 2. |
|---|
| 115 | 115 | | 25-01187 as introduced01/14/25 REVISOR VH/ES |
|---|