Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature
Office of the Revisor of Statutes

SF 2320

as introduced - 90th Legislature (2017 - 2018) Posted on 04/19/2017 09:16am

KEY: stricken = removed, old language.
underscored = added, new language.
Version List Authors and Status
Pdf Rtf

Current Version - as introduced

Line numbers 1.1 1.2 1.3 1.4
1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16
3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13
5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9
7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25
7.26 7.27 7.28
8.1 8.2 8.3 8.4 8.5 8.6 8.7
8.8 8.9 8.10 8.11 8.12
8.13 8.14

A bill for an act
 relating to privacy; enacting the Uniform Employee and Student Online Privacy
Protection Act; proposing coding for new law as Minnesota Statutes, chapter 13E.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin [13E.01] SHORT TITLE.
 new text end

new text begin This chapter may be cited as the "Uniform Employee and Student Online Privacy
Protection Act."
 new text end

Sec. 2.

new text begin [13E.02] DEFINITIONS.
 new text end

new text begin Subdivision 1. new text end

new text begin Scope. new text end

new text begin For purposes of this chapter, the terms defined in this section have
the meanings given them.
 new text end

new text begin Subd. 2. new text end

new text begin Content. new text end

new text begin "Content" means information, other than log-in information, that is
contained in a protected personal online account, accessible to the account holder, and not
publicly available.
 new text end

new text begin Subd. 3. new text end

new text begin Educational institution. new text end

new text begin "Educational institution" means a person that provides
students at the postsecondary level an organized program of study or training that is academic,
technical, trade oriented, or preparatory for gaining employment and for which the person
gives academic credit. The term includes:
 new text end

new text begin (1) a public or private institution; and
 new text end

new text begin (2) an agent or designee of the educational institution.
 new text end

new text begin Subd. 4. new text end

new text begin Electronic. new text end

new text begin "Electronic" means relating to technology having electrical, digital,
magnetic, wireless, optical, electromagnetic, or similar capabilities.
 new text end

new text begin Subd. 5. new text end

new text begin Employee. new text end

new text begin "Employee" means an individual who provides services or labor to
an employer in exchange for salary, wages, or the equivalent or, for an unpaid intern,
academic credit or occupational experience. The term includes:
 new text end

new text begin (1) a prospective employee who:
 new text end

new text begin (i) has expressed to the employer an interest in being an employee; or
 new text end

new text begin (ii) has applied to or is applying for employment by, or is being recruited for employment
by, the employer; and
 new text end

new text begin (2) an independent contractor.
 new text end

new text begin Subd. 6. new text end

new text begin Employer. new text end

new text begin "Employer" means a person that provides salary, wages, or the
equivalent to an employee in exchange for services or labor or engages the services or labor
of an unpaid intern. The term includes an agent or designee of the employer.
 new text end

new text begin Subd. 7. new text end

new text begin Log-in information. new text end

new text begin "Log-in information" means a username and password,
password, or other means or credentials of authentication required to access or control:
 new text end

new text begin (1) a protected personal online account; or
 new text end

new text begin (2) an electronic device, which the employee's employer or the student's educational
institution has not supplied or paid for in full, that itself provides access to or control over
the account.
 new text end

new text begin Subd. 8. new text end

new text begin Log-in requirement. new text end

new text begin "Log-in requirement" means a requirement that log-in
information be provided before an online account or electronic device can be accessed or
controlled.
 new text end

new text begin Subd. 9. new text end

new text begin Online. new text end

new text begin "Online" means accessible by means of a computer network or the
Internet.
 new text end

new text begin Subd. 10. new text end

new text begin Person. new text end

new text begin "Person" means an individual, estate, business or nonprofit entity,
public corporation, government or governmental subdivision, agency, or instrumentality,
or other legal entity.
 new text end

new text begin Subd. 11. new text end

new text begin Protected personal online account. new text end

new text begin "Protected personal online account"
means an employee's or student's online account that is protected by a log-in requirement.
The term does not include an online account or the part of an online account:
 new text end

new text begin (1) that is publicly available; or
 new text end

new text begin (2) that the employer or educational institution has notified the employee or student
might be subject to a request for log-in information or content, and that:
 new text end

new text begin (i) the employer or educational institution supplies or pays for in full; or
 new text end

new text begin (ii) the employee or student creates, maintains, or uses primarily on behalf of or under
the direction of the employer or educational institution in connection with the employee's
employment or the student's education.
 new text end

new text begin Subd. 12. new text end

new text begin Publicly available. new text end

new text begin "Publicly available" means available to the general public.
 new text end

new text begin Subd. 13. new text end

new text begin Record. new text end

new text begin "Record" means information that is inscribed on a tangible medium
or that is stored in an electronic or other medium and is retrievable in perceivable form.
 new text end

new text begin Subd. 14. new text end

new text begin State. new text end

new text begin "State" means a state of the United States, the District of Columbia, the
United States Virgin Islands, or any territory or insular possession subject to the jurisdiction
of the United States.
 new text end

new text begin Subd. 15. new text end

new text begin Student. new text end

new text begin "Student" means an individual who participates in an educational
institution's organized program of study or training. The term includes:
 new text end

new text begin (1) a prospective student who express to the institution an interest in being admitted to,
applies for admission to, or is being recruited for admission by, the educational institution;
and
 new text end

new text begin (2) a parent or legal guardian of a student under the age of 18.
 new text end

Sec. 3.

new text begin [13E.03] PROTECTION OF EMPLOYEE ONLINE ACCOUNT.
 new text end

new text begin (a) Subject to the exceptions in paragraph (b), an employer may not:
 new text end

new text begin (1) require, coerce, or request an employee to:
 new text end

new text begin (i) disclose the log-in information for the employee's protected personal online account;
 new text end

new text begin (ii) disclose the content of the employee's protected personal online account, except that
an employer may request an employee to add the employer to, or not remove the employer
from, the set of persons to whom the employee grants access to the content;
 new text end

new text begin (iii) alter the settings of the employee's protected personal online account in a manner
that makes the log-in information for, or content of, the account more accessible to others;
or
 new text end

new text begin (iv) access the employee's protected personal online account in the presence of the
employer in a manner that enables the employer to observe the log-in information for or
content of the account; or
 new text end

new text begin (2) take, or threaten to take, adverse action against an employee for failure to comply
with:
 new text end

new text begin (i) an employer requirement, coercive action, or request that violates clause (1); or
 new text end

new text begin (ii) an employer request under clause (1), item (ii), to add the employer to, or not remove
the employer from, the set of persons to which the employee grants access to the content
of a protected personal online account.
 new text end

new text begin (b) Nothing in paragraph (a) shall prevent an employer from:
 new text end

new text begin (1) accessing information about an employee that is publicly available;
 new text end

new text begin (2) complying with a federal or state law, court order, or rule of a self-regulatory
organization established by federal or state law, including a self-regulatory organization
defined in section 3(a)(26) of the Securities and Exchange Act of 1934, United States Code,
title 15, section 78c(a)(26); or
 new text end

new text begin (3) requiring or requesting, based on specific facts about the employee's protected
personal online account, access to the content of, but not the log-in information for, the
account in order to:
 new text end

new text begin (i) ensure compliance, or investigate noncompliance, with:
 new text end

new text begin (A) federal or state law; or
 new text end

new text begin (B) an employer prohibition against work-related employee misconduct of which the
employee has reasonable notice, that is in a record, and that was not created primarily to
gain access to a protected personal online account; or
 new text end

new text begin (ii) protect against:
 new text end

new text begin (A) a threat to safety;
 new text end

new text begin (B) a threat to employer information technology or communications technology systems
or to employer property; or
 new text end

new text begin (C) disclosure of information in which the employer has a proprietary interest or
information the employer has a legal obligation to keep confidential.
 new text end

new text begin (c) An employer that accesses employee content for a purpose specified in paragraph
(b), clause (3):
 new text end

new text begin (1) shall attempt reasonably to limit its access to content that is relevant to the specified
purpose;
 new text end

new text begin (2) shall use the content only for the specified purpose; and
 new text end

new text begin (3) may not alter the content unless necessary to achieve the specified purpose.
 new text end

new text begin (d) An employer that acquires the log-in information for an employee's protected personal
online account by means of otherwise lawful technology that monitors the employer's
network, or employer-provided devices, for a network security, data confidentiality, or
system maintenance purpose:
 new text end

new text begin (1) may not use the log-in information to access or enable another person to access the
account;
 new text end

new text begin (2) shall make a reasonable effort to keep the log-in information secure;
 new text end

new text begin (3) unless otherwise provided in clause (4), shall dispose of the log-in information as
soon as, as securely as, and to the extent reasonably practicable; and
 new text end

new text begin (4) shall, if the employer retains the log-in information for use in an ongoing investigation
of an actual or suspected breach of computer, network, or data security, make a reasonable
effort to keep the log-in information secure and dispose of it as soon as, as securely as, and
to the extent reasonably practicable after completing the investigation.
 new text end

Sec. 4.

new text begin [13E.04] PROTECTION OF STUDENT ONLINE ACCOUNT.
 new text end

new text begin (a) Subject to the exceptions in paragraph (b), an educational institution may not:
 new text end

new text begin (1) require, coerce, or request a student to:
 new text end

new text begin (i) disclose the log-in information for the student's protected personal online account;
 new text end

new text begin (ii) disclose the content of the student's protected personal online account, except that
an educational institution may request a student to add the educational institution to, or not
remove the educational institution from, the set of persons to whom the student grants access
to the content;
 new text end

new text begin (iii) alter the settings of the student's protected personal online account in a manner that
makes the log-in information for or content of the account more accessible to others; or
 new text end

new text begin (iv) access the student's protected personal online account in the presence of the
educational institution in a manner that enables the educational institution to observe the
log-in information for or content of the account; or
 new text end

new text begin (2) take, or threaten to take, adverse action against a student for failure to comply with:
 new text end

new text begin (i) an educational institution requirement, coercive action, or request, that violates clause
(1); or
 new text end

new text begin (ii) an educational institution request under paragraph (a), clause (1), item (ii), to add
the educational institution to, or not remove the educational institution from, the set of
persons to which the student grants access to the content of a protected personal online
account.
 new text end

new text begin (b) Nothing in paragraph (a) shall prevent an educational institution from:
 new text end

new text begin (1) accessing information about a student that is publicly available;
 new text end

new text begin (2) complying with a federal or state law, court order, or rule of a self-regulatory
organization established by federal or state law; or
 new text end

new text begin (3) requiring or requesting, based on specific facts about the student's protected personal
online account, access to the content of, but not the log-in information for, the account in
order to:
 new text end

new text begin (i) ensure compliance, or investigate noncompliance, with:
 new text end

new text begin (A) federal or state law; or
 new text end

new text begin (B) an educational institution prohibition against education-related student misconduct
of which the student has reasonable notice, that is in a record, and that was not created
primarily to gain access to a protected personal online account; or
 new text end

new text begin (ii) protect against:
 new text end

new text begin (A) a threat to safety;
 new text end

new text begin (B) a threat to educational institution information technology or communications
technology systems or to educational institution property; or
 new text end

new text begin (C) disclosure of information in which the educational institution has a proprietary
interest or information the educational institution has a legal obligation to keep confidential.
 new text end

new text begin (c) An educational institution that accesses student content for a purpose specified in
paragraph (b), clause (3):
 new text end

new text begin (1) shall attempt reasonably to limit its access to content that is relevant to the specified
purpose;
 new text end

new text begin (2) shall use the content only for the specified purpose; and
 new text end

new text begin (3) may not alter the content unless necessary to achieve the specified purpose.
 new text end

new text begin (d) An educational institution that acquires the log-in information for a student's protected
personal online account by means of otherwise lawful technology that monitors the
educational institution's network, or educational-institution-provided devices, for a network
security, data confidentiality, or system maintenance purpose:
 new text end

new text begin (1) may not use the log-in information to access or enable another person to access the
account;
 new text end

new text begin (2) shall make a reasonable effort to keep the log-in information secure;
 new text end

new text begin (3) unless otherwise provided in clause (4), shall dispose of the log-in information as
soon as, as securely as, and to the extent reasonably practicable; and
 new text end

new text begin (4) shall, if the educational institution retains the log-in information for use in an ongoing
investigation of an actual or suspected breach of computer, network, or data security, make
a reasonable effort to keep the log-in information secure and dispose of it as soon as, as
securely as, and to the extent reasonably practicable after completing the investigation.
 new text end

Sec. 5.

new text begin [13E.05] CIVIL ACTION.
 new text end

new text begin (a) The attorney general may bring a civil action against an employer or educational
institution for a violation of this chapter. A prevailing attorney general may obtain:
 new text end

new text begin (1) injunctive and other equitable relief; and
 new text end

new text begin (2) a civil penalty of up to $1,000 for each violation, but not exceeding $100,000 for all
violations caused by the same event.
 new text end

new text begin (b) An employee or student may bring a civil action against the individual's employer
or educational institution for a violation of this chapter. A prevailing employee or student
may obtain:
 new text end

new text begin (1) injunctive and other equitable relief;
 new text end

new text begin (2) actual damages; and
 new text end

new text begin (3) costs and reasonable attorney fees.
 new text end

new text begin (c) An action under paragraph (a) does not preclude an action under paragraph (b), and
an action under paragraph (b) does not preclude an action under paragraph (a).
 new text end

new text begin (d) This chapter does not affect a right or remedy available under law other than this
chapter.
 new text end

Sec. 6.

new text begin [13E.06] UNIFORMITY OF APPLICATION AND CONSTRUCTION.
 new text end

new text begin In applying and construing this chapter, consideration must be given to the need to
promote uniformity of the law with respect to its subject matter among states that enact it.
 new text end

Sec. 7.

new text begin [13E.07] RELATION TO ELECTRONIC SIGNATURES IN GLOBAL AND
NATIONAL COMMERCE ACT.
 new text end

new text begin This chapter modifies, limits, or supersedes the Electronic Signatures in Global and
National Commerce Act, United States Code, title 15, section 7001 et seq., but does not
modify, limit, or supersede section 101(c) of that act, United States Code, title 15, section
7001(c), or authorize electronic delivery of any of the notices described in section 103(b)
of that act, United States Code, title 15, section 7003(b).
 new text end

Sec. 8.

new text begin [13E.08] SEVERABILITY.
 new text end

new text begin If any provision of this chapter or its application to any person or circumstance is held
invalid, the invalidity does not affect other provisions or applications of this chapter which
can be given effect without the invalid provision or application, and to this end the provisions
of this chapter are severable.
 new text end

Sec. 9. new text begin EFFECTIVE DATE.
new text end

new text begin This act is effective August 1, 2017.
 new text end