MN Legislature

Accessibility menu

Bills use visual text formatting such as stricken text to denote deleted language, and underlined text to denote new language. For users of the jaws screenreader it is recommended to configure jaws to use the proofreading scheme which will alter the pitch of the reading voice when reading stricken and underlined text. Instructions for configuring your jaws reader are provided by following this link.
If you can not or do not wish to configure your screen reader, deleted language will begin with the phrase "deleted text begin" and be followed by the phrase "deleted text end", new language will begin with the phrase "new text begin" and be followed by "new text end". Skip to text of SF 1961.

Menu

Revisor of Statutes Menu

SF 1961

2nd Engrossment - 90th Legislature (2017 - 2018) Posted on 04/09/2018 04:42pm

KEY: stricken = removed, old language. underscored = added, new language.

Pdf

Rtf

Version List Authors and Status

Current Version - 2nd Engrossment

A bill for an act
relating to education; providing for student online privacy;amending Minnesota
Statutes 2016, section 13.321, by adding a subdivision; proposing coding for new
law in Minnesota Statutes, chapter 125B.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

Minnesota Statutes 2016, section 13.321, is amended by adding a subdivision
to read:


Subd. 12.

Student online privacy.

Section 125B.27 governs student privacy and
information practices of operators of online services for school purposes.

Sec. 2.

[125B.27] STUDENT ONLINE PRIVACY.

Subdivision 1.

Definitions.

(a) The definitions in this subdivision apply to this section.

(b) "Covered information" means personally identifiable information or material, or
information that is linked to personally identifiable information or material, in any media
or format that is not publicly available and is any of the following:

(1) created by or provided to an operator by a student, or the student's parent or legal
guardian, in the course of the student's, parent's, or legal guardian's use of the operator's
site, service, or application for school purposes;

(2) created by or provided to an operator by an employee or agent of a school or school
district for school purposes; or

(3) gathered by an operator through the operation of its site, service, or application for
school purposes and personally identifies a student including, but not limited to, information
in the student's educational record or e-mail, first and last name, home address, telephone
number, e-mail address, or other information that allows physical or online contact, discipline
records, test results, special education data, juvenile dependency records, grades, evaluations,
criminal records, medical records, health records, Social Security number, biometric
information, disabilities, socioeconomic information, food purchases, political affiliations,
religious information, text messages, documents, student identifiers, search activity, photos,
voice recordings, or geolocation information.

(c) "Interactive computer service" has the meaning given in United States Code, title
47, section 230.

(d) "Operator" means, to the extent that it is operating in this capacity, the operator of
an Internet Web site, online service, online application, or mobile application with actual
knowledge that the site, service, or application is used primarily for school purposes and
was designed and marketed for school purposes. Operator includes:

(1) an agent or assignee of the operator or a person acting under the supervision or control
of the operator; or

(2) a vendor.

(e) "School purposes" means purposes that are directed by or that customarily take place
at the direction of a school, teacher, or school district or aid in the administration of school
activities including, but not limited to, instruction in the classroom or at home, administrative
activities, and collaboration between students, school personnel, or parents or legal guardians
or are otherwise for the use and benefit of the school.

(f) "Student" means a student in prekindergarten through grade 12.

(g) "Targeted advertising" means presenting advertisements to a student where the
advertisement is selected based on information obtained or inferred over time from that
student's online behavior, usage of applications, or covered information. It does not include
advertising to a student at an online location based upon that student's current visit to that
location, or in response to that student's request for information or feedback, without the
retention of that student's online activities or requests over time for the purpose of targeting
subsequent advertisements.

(h) "Vendor" means a person who contracts with a school or school district to provide
access to an Internet Web site, online service, online application, or mobile application for
school purposes.

Subd. 2.

Prohibited activities.

(a) An operator must not do any of the following:

(1) engage in targeted advertising on the operator's site, service, or application or target
advertising on any other site, service, or application, or by any other means, if the targeting
of the advertising is based on any information, including covered information and persistent
unique identifiers, that the operator has acquired because of the use of that operator's site,
service, or application for school purposes;

(2) use information, including persistent unique identifiers, created or gathered by the
operator's site, service, or application to amass a profile about a student except in furtherance
of school purposes. "Amass a profile" does not include the collection and retention of account
information that remains under the control of the student, the student's parent or legal
guardian, or the school;

(3) sell or rent a student's information, including covered information. This clause does
not apply to the purchase, merger, or other type of acquisition of an operator by another
entity if the operator or successor entity complies with this section regarding previously
acquired student information; or

(4) except as otherwise provided under subdivision 4, disclose covered information
unless the disclosure is:

(i) in furtherance of the school purpose of the site, service, or application if the recipient
of the covered information disclosed under this item does not further disclose the information
unless done to allow or improve operability and functionality of the operator's site, service,
or application;

(ii) to ensure legal and regulatory compliance or protect against liability;

(iii) to respond to or participate in the judicial process;

(iv) to protect the safety or integrity of users of the site or others or the security of the
site, service, or application;

(v) for a school, educational, or employment purpose requested by the student or the
student's parent or guardian, provided that the information is not used or further disclosed
for any other purpose;

(vi) to a national assessment provider if the provider secures the express written consent
of the student, parent, or legal guardian given in response to clear and conspicuous notice,
solely for the purpose of providing access to employment, educational scholarships or
financial aid, or postsecondary educational opportunities; or

(vii) to a third party, if the operator contractually prohibits the third party from using
any covered information for any purpose other than providing the contracted service to or
on behalf of the operator, prohibits the third party from disclosing any covered information
provided by the operator with subsequent third parties, and requires the third party to
implement and maintain reasonable security procedures and practices.

(b) Nothing in this subdivision prohibits the operator's use of information for maintaining,
developing, supporting, improving, or diagnosing the operator's site, service, or application.

Subd. 3.

Security procedures and practices; return or destruction of information.

(a) An operator must implement and maintain reasonable security procedures and practices
in writing that are appropriate to the nature of the covered information and designed to
ensure protection of covered information from unauthorized access, destruction, use,
modification, or disclosure.

(b) Within 30 days of a request from a student, parent, or legal guardian, an operator
that is not a vendor must destroy or return the covered information to the student, parent,
or legal guardian. A vendor must comply with the provisions of subdivision 7 governing
destruction or return of data to the school.

Subd. 4.

Permissible disclosures.

An operator may use or disclose covered information
of a student under the following circumstances:

(1) if other provisions of federal or state law require the operator to disclose the
information and the operator complies with the requirements of federal and state law in
protecting and disclosing that information;

(2) for legitimate research purposes as required by state or federal law and subject to
the restrictions under applicable state and federal law or as allowed by state or federal law
and under the direction of a school, school district, or the Department of Education if covered
information is not used for advertising or to amass a profile on the student for purposes
other than school purposes; or

(3) to a state or local educational agency, including schools and school districts, for
school purposes as permitted by state or federal law.

Subd. 5.

Use of information by operator.

This section does not prohibit an operator
from doing any of the following:

(1) using covered information to improve educational products if that information is not
associated with an identified student within the operator's site, service, or application or
other sites, services, or applications owned by the operator;

(2) using covered information that is not associated with an identified student to
demonstrate the effectiveness of the operator's products or services, including in their
marketing;

(3) sharing covered information that is not associated with an identified student for the
development and improvement of educational sites, services, or applications; or

(4) responding to a student's request for information or for feedback without the
information or response being determined in whole or in part by payment or other
consideration from a third party.

Subd. 6.

Certain activities not affected.

This section does not:

(1) limit the authority of a law enforcement agency to obtain any content or information
from an operator as authorized by law or under a court order;

(2) limit the ability of an operator to use student data, including covered information,
for adaptive learning or customized student learning purposes;

(3) apply to general audience Internet Web sites, general audience online services, general
audience online applications, or general audience mobile applications even if the login
credentials created for an operator's site, service, or application may be used to access those
general audience sites, services, or applications;

(4) limit service providers from providing Internet connectivity to schools or students
and their families;

(5) prohibit an operator of an Internet Web site, online service, online application, or
mobile application from marketing educational products directly to parents or legal guardians
if the marketing did not result from the use of covered information obtained by the operator
through the provision of services covered under this section;

(6) impose a duty upon a provider of an electronic store, gateway, marketplace, or other
means of purchasing or downloading software or applications to review or enforce
compliance with this section on those applications or software;

(7) impose a duty upon a provider of an interactive computer service to review or enforce
compliance with this section by third-party content providers; or

(8) prohibit students from downloading, exporting, transferring, saving, or maintaining
their own student data or documents.

Subd. 7.

Special requirements applicable to vendors.

(a) In addition to the requirements
of subdivisions 2 to 6, a vendor must comply with this subdivision.

(b) A vendor is subject to the provisions of section 13.05, subdivision 11. Covered
information created, received, or maintained by a vendor pursuant or incidental to the
contract are the property of the school and are not the property of the vendor. Unless renewal
of the contract is reasonably anticipated, within 30 days of expiration of the contract, or
within 30 days of a request from the school, the vendor must destroy or return the covered
information to the school.

1.1 1.2 1.3 1.4 1.5
1.6 1.7 1.8 1.9
1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 2.33 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 6.1 6.2 6.3 6.4 6.5 6.6

700 State Office Building, 100 Rev. Dr. Martin Luther King Jr. Blvd., St. Paul, MN 55155 ♦ Phone: (651) 296-2868 ♦ TTY: 1-800-627-3529 ♦ Fax: (651) 296-0569