MN
Minnesota Senate Bill SF710

Minnesota 2025-2026 Regular Session

Minnesota Senate Bill SF710 Latest Draft

Bill / Introduced Version Filed 01/24/2025 

                            1.1	A bill for an act​
1.2 relating to government data practices; requiring public postsecondary institutions​
1.3 to keep certain student information private; requiring consent before collecting​
1.4 student location data; amending Minnesota Statutes 2024, section 13.32, subdivision​
1.5 5; proposing coding for new law in Minnesota Statutes, chapter 135A.​
1.6BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:​
1.7 Section 1. Minnesota Statutes 2024, section 13.32, subdivision 5, is amended to read:​
1.8 Subd. 5.Directory information.(a) Educational data designated as directory information​
1.9is public data on individuals to the extent required under federal law. Directory information​
1.10must be designated pursuant to the provisions of:​
1.11 (1) this subdivision; and​
1.12 (2) United States Code, title 20, section 1232g, and Code of Federal Regulations, title​
1.1334, section 99.37, which were in effect on January 3, 2012.​
1.14 (b) When conducting the directory information designation and notice process required​
1.15by federal law, an educational agency or institution shall give parents and students notice​
1.16of the right to refuse to let the agency or institution designate specified data about the student​
1.17as directory information. This notice may be given by any means reasonably likely to inform​
1.18the parents and students of the right.​
1.19 (c) An educational agency or institution may not designate a student's home address,​
1.20telephone number, email address, or other personal contact information as directory​
1.21information under this subdivision. This paragraph does not apply to a postsecondary​
1.22institution.​
1​Section 1.​
25-01187 as introduced​01/14/25 REVISOR VH/ES​
SENATE​
STATE OF MINNESOTA​
S.F. No. 710​NINETY-FOURTH SESSION​
(SENATE AUTHORS: LUCERO)​
OFFICIAL STATUS​D-PG​DATE​
Introduction and first reading​01/27/2025​
Referred to Higher Education​ 2.1 (d) When requested, educational agencies or institutions must share personal student​
2.2contact information and directory information, whether public or private, with the Minnesota​
2.3Department of Education, as required for federal reporting purposes.​
2.4 (e) When requested, educational agencies or institutions may share personal student​
2.5contact information and directory information for students served in special education with​
2.6postsecondary transition planning and services under section 125A.08, paragraph (b), clause​
2.7(1), whether public or private, with the Department of Employment and Economic​
2.8Development, as required for coordination of services to students with disabilities under​
2.9sections 125A.08, paragraph (b), clause (1); 125A.023; and 125A.027.​
2.10 (f) A public postsecondary institution must maintain documentation of a request for​
2.11directory information on 100 students or more for four years from the date of the request.​
2.12A public postsecondary institution's directory information policy must not permit an​
2.13individual's email address, physical address, telephone number, or identification card​
2.14photograph to be publicly disclosed. A student whose directory information has been​
2.15requested must be allowed to review the documentation maintained by the institution​
2.16regarding that request.​
2.17 Sec. 2. [135A.146] STUDENT LOCATION DATA.​
2.18 Subdivision 1.Definition."Technology provider" means a person who:​
2.19 (1) contracts with a public or private postsecondary educational institution to provide​
2.20technological devices for student use or to provide access to a software or online application;​
2.21and​
2.22 (2) creates, receives, or maintains location data pursuant or incidental to a contract with​
2.23a public or private postsecondary educational institution.​
2.24 Subd. 2.Consent.(a) A public or private postsecondary educational institution must​
2.25not collect data on a student's location without the student consenting to having location​
2.26data collected. A public or private postsecondary educational institution must not require a​
2.27student's consent to location data collection as a condition of:​
2.28 (1) enrolling in the institution or any program or class;​
2.29 (2) receiving a scholarship or other financial aid award; or​
2.30 (3) entering into a dining contract, housing contract, or any other agreement for the​
2.31provision of a basic university service, including connecting to campus Wi-Fi.​
2​Sec. 2.​
25-01187 as introduced​01/14/25 REVISOR VH/ES​ 3.1 (b) A student who gives consent to having location data collected may revoke that consent​
3.2at any time.​
3.3 Subd. 3.Notice.(a) Within 30 days of the start of each school year, a public or private​
3.4postsecondary educational institution must give students notice, by United States mail,​
3.5email, or other direct form of communication, of any technology provider contract gathering​
3.6a student's location data. The notice must:​
3.7 (1) be written in plain language;​
3.8 (2) identify each technology provider collecting location data;​
3.9 (3) identify the location data gathered by the technology provider contract;​
3.10 (4) include information about the consent required in subdivision 2, including the right​
3.11to revoke consent; and​
3.12 (5) include information about how to access a copy of the contract in accordance with​
3.13paragraph (b).​
3.14 (b) A public or private postsecondary educational institution must publish a complete​
3.15copy of any contract with a technology provider on the institution's website for the duration​
3.16of the contract.​
3.17 Subd. 4.Location data.(a) A technology provider contracting with a public​
3.18postsecondary institution is subject to the provisions of section 13.05, subdivision 11. An​
3.19assignee or delegate that creates, receives, or maintains location data is subject to the same​
3.20restrictions and obligations under this section as the technology provider.​
3.21 (b) Location data created, received, or maintained by a technology provider pursuant or​
3.22incidental to a contract with a public or private postsecondary educational institution are​
3.23not the technology provider's property.​
3.24 (c) If location data maintained by the technology provider are subject to a breach of the​
3.25security of the data, as defined in section 13.055, the technology provider must, following​
3.26discovery of the breach, disclose to the public postsecondary educational institution all​
3.27information necessary to fulfill the requirements of section 13.055.​
3.28 (d) Within 30 days of the expiration of the contract, unless renewal of the contract is​
3.29reasonably anticipated, a technology provider must destroy or return to the appropriate​
3.30public or private postsecondary educational institution all location data created, received,​
3.31or maintained pursuant or incidental to the contract.​
3.32 (e) A technology provider must not:​
3​Sec. 2.​
25-01187 as introduced​01/14/25 REVISOR VH/ES​ 4.1 (1) sell, share, or disseminate location data, except as provided by this section or as part​
4.2of a valid delegation or assignment of its contract with a public or private postsecondary​
4.3educational institution; or​
4.4 (2) use location data for any commercial purpose, including but not limited to marketing​
4.5or advertising to a student or parent.​
4.6 Subd. 5.Procedures.(a) A technology provider must establish written procedures to​
4.7ensure appropriate security safeguards are in place for location data. A technology provider's​
4.8written procedures must require that:​
4.9 (1) only authorized employees or contractors can access the location data;​
4.10 (2) a person is authorized to access location data only if access is necessary to fulfill​
4.11official duties; and​
4.12 (3) all actions in which location data are entered, updated, accessed, shared, or​
4.13disseminated are recorded in a log of use that includes the identity of the person interacting​
4.14with the data and what action was performed. Information recorded in the log of use must​
4.15be retained for at least one year.​
4.16 (b) A technology provider's written procedures establishing security safeguards for​
4.17location data are public data, unless classified as not public under any other applicable law.​
4.18 EFFECTIVE DATE.This section is effective July 1, 2025.​
4​Sec. 2.​
25-01187 as introduced​01/14/25 REVISOR VH/ES​