SF 4574
Introduction - 94th Legislature (2025 - 2026)
Posted on 03/19/2026 09:13 a.m.
1.8 1.9 1.10 1.11 1.12
1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8
2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25
4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28
5.29 5.30 5.31 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31 6.32 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 7.33 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30
10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22
10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 11.1 11.2 11.3
A bill for an act
relating to consumer data privacy; creating the Minnesota Age-Appropriate Design
Code Act; placing obligations on certain businesses regarding children's consumer
information; providing for enforcement by the attorney general; amending
Minnesota Statutes 2024, section 13.6505, by adding a subdivision; proposing
coding for new law in Minnesota Statutes, chapter 325M.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
Minnesota Statutes 2024, section 13.6505, is amended by adding a subdivision
to read:
new text begin Subd. 3. new text end
new text begin Data protection impact assessments. new text end
new text begin
A data protection impact assessment
collected or maintained by the attorney general under section 325M.44 is classified under
section 325M.44, subdivision 3.
new text end
Sec. 2.
new text begin
[325M.40] CITATION; CONSTRUCTION.
new text end
new text begin Subdivision 1. new text end
new text begin Citation. new text end
new text begin
This chapter may be cited as the "Minnesota Age-Appropriate
Design Code Act."
new text end
new text begin Subd. 2. new text end
new text begin Construction. new text end
new text begin
(a) A business that develops and provides online products that
children are reasonably likely to access must consider the best interests of children when
designing, developing, and providing that online product.
new text end
new text begin
(b) If a conflict arises between commercial interests of a business and the best interests
of children likely to access an online product, service, or feature, the business must prioritize
the privacy, safety, and well-being of children over its commercial interests.
new text end
new text begin
(c) In order to help support the design of online products, a business must consider the
unique needs and diversities of different age ranges, including the following developmental
stages:
new text end
new text begin
(1) zero to five years of age or "preliterate and early literacy";
new text end
new text begin
(2) six to nine years of age or "core primary school years";
new text end
new text begin
(3) ten to 12 years of age or "transition years";
new text end
new text begin
(4) 13 to 15 years of age or "early teens"; and
new text end
new text begin
(5) 16 to 17 years of age or "approaching adulthood."
new text end
Sec. 3.
new text begin
[325M.41] DEFINITIONS.
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Affiliate" has the meaning given in section 325M.11.
new text end
new text begin
(c) "Aggregate consumer information" means information:
new text end
new text begin
(1) that relates to a group or category of consumers;
new text end
new text begin
(2) from which individual consumer identities have been removed;
new text end
new text begin
(3) that is not linked or reasonably linkable to any consumer or household, including by
a device; and
new text end
new text begin
(4) that does not include deidentified data.
new text end
new text begin
(d) "Best interests of children" means a business's use of the personal data of a child or
the design of an online product in a way that does not:
new text end
new text begin
(1) benefit the business to the detriment of children; and
new text end
new text begin
(2) result in:
new text end
new text begin
(i) reasonably foreseeable and material physical or financial harm to children;
new text end
new text begin
(ii) reasonably foreseeable and severe psychological or emotional harm to children;
new text end
new text begin
(iii) a highly offensive intrusion on children's reasonable expectation of privacy; or
new text end
new text begin
(iv) discrimination against children based on race, color, religion, national origin,
disability, sex, or sexual orientation.
new text end
new text begin
(e) "Business" means:
new text end
new text begin
(1) a sole proprietorship, partnership, limited liability company, corporation, association,
or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners; and
new text end
new text begin
(2) an affiliate of a business that shares common branding with the business. For purposes
of this clause, "common branding" means a shared name, service mark, or trademark that
the average consumer would understand that two or more entities commonly own.
new text end
new text begin
For purposes of this chapter, for a joint venture or partnership composed of businesses in
which each business has at least a 40 percent interest, the joint venture or partnership and
each business that composes the joint venture or partnership shall separately be considered
a single business, except that personal data in the possession of each business and disclosed
to the joint venture or partnership must not be shared with the other business.
new text end
new text begin
(f) "Child" means a consumer who is under 18 years of age.
new text end
new text begin
(g) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any
personal data pertaining to a consumer by any means. This includes receiving data from the
consumer, either actively or passively or by observing the consumer's behavior.
new text end
new text begin
(h) "Consumer" has the meaning given in section 325M.11.
new text end
new text begin
(i) "Dark pattern" has the meaning given in section 325M.11.
new text end
new text begin
(j) "Data protection impact assessment" means a systematic survey to assess compliance
with the duty to act in the best interests of children.
new text end
new text begin
(k) "Default" means a preselected option adopted by the business for the online product.
new text end
new text begin
(l) "Deidentified data" has the meaning given in section 325M.11.
new text end
new text begin
(m) "Online product" means an online service, product, or feature. Online product does
not include the following:
new text end
new text begin
(1) telecommunications services as defined in United States Code, title 47, section 153;
new text end
new text begin
(2) a broadband service as defined by section 116J.39, subdivision 1; or
new text end
new text begin
(3) the sale, delivery, or use of a physical product sold by an online retailer.
new text end
new text begin
(n) "Personal data" has the meaning given in section 325M.11.
new text end
new text begin
(o) "Process" or "processing" has the meaning given in section 325M.11.
new text end
new text begin
(p) "Product experimentation results" means the data that a business collects to understand
the experimental impact of its products.
new text end
new text begin
(q) "Profiling" has the meaning given in section 325M.11.
new text end
new text begin
(r) "Reasonably likely to be accessed by children" means that it is reasonable to expect
that the online product would be accessed by children, based on satisfying any of the
following criteria:
new text end
new text begin
(1) the online product is directed to children as defined by the Children's Online Privacy
Protection Act, United States Code, title 15, section 6501 et seq., and the Federal Trade
Commission rules implementing that act;
new text end
new text begin
(2) the online product is determined, based on competent and reliable evidence regarding
audience composition, to be routinely accessed by a significant number of children;
new text end
new text begin
(3) the online product contains advertisements marketed to children;
new text end
new text begin
(4) the online product is substantially similar to or the same as an online product subject
to clause (2);
new text end
new text begin
(5) a significant amount of the audience of the online product is determined, based on
internal company research, to be children; or
new text end
new text begin
(6) the business knew or should have known that a significant number of users are
children.
new text end
new text begin
(s) "Sale," "sell," or "sold" has the meaning given in section 325M.11.
new text end
new text begin
(t) "Share" means sharing, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means
a consumer's personal data by the business to a third party for cross-context behavioral
advertising, whether for monetary or other valuable consideration, including transactions
between a business and a third party for cross-context behavioral advertising for the benefit
of a business in which no money is exchanged.
new text end
new text begin
(u) "Specific geolocation data" has the meaning given in section 325M.11.
new text end
new text begin
(v) "Third party" has the meaning given in section 325M.11.
new text end
Sec. 4.
new text begin
[325M.43] SCOPE; EXCLUSIONS.
new text end
new text begin
(a) A business is subject to this chapter if it:
new text end
new text begin
(1) collects consumers' personal data or has consumers' personal data collected on its
behalf by a third party;
new text end
new text begin
(2) determines alone or jointly with others the purposes and means of the processing of
consumers' personal data;
new text end
new text begin
(3) does business in Minnesota; and
new text end
new text begin
(4) satisfies one or more of the following thresholds:
new text end
new text begin
(i) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered
year to reflect the Consumer Price Index;
new text end
new text begin
(ii) annually buys, receives for the business's commercial purposes, sells, or shares for
commercial purposes, alone or in combination, the personal data of 50,000 or more
consumers, households, or devices; or
new text end
new text begin
(iii) derives 50 percent or more of its annual revenues from selling consumers' personal
data.
new text end
new text begin
(b) This chapter does not apply to:
new text end
new text begin
(1) protected health information that is collected by a covered entity or business associate
governed by the privacy, security, and breach notification rules issued by the United States
Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160
and 164, established pursuant to the Health Insurance Portability and Accountability Act
of 1996, Public Law 104-191, and the Health Information Technology for Economic and
Clinical Health Act, Public Law 111-5;
new text end
new text begin
(2) a covered entity governed by the privacy, security, and breach notification rules
issued by the United States Department of Health and Human Services, Code of Federal
Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, to the extent the provider
or covered entity maintains patient information in the same manner as medical information
or protected health information as described in clause (1);
new text end
new text begin
(3) information collected as part of a clinical trial subject to the federal policy for the
protection of human subjects, also known as the common rule, pursuant to good clinical
practice guidelines issued by the International Council for Harmonisation or pursuant to
human subject protection requirements of the United States Food and Drug Administration;
or
new text end
new text begin
(4) data subject to Title V of the Gramm-Leach-Bliley Act of 1999, Public Law 106-102.
new text end
Sec. 5.
new text begin
[325M.44] BUSINESS OBLIGATIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Requirements for businesses. new text end
new text begin
(a) A business subject to this chapter
must:
new text end
new text begin
(1) complete a data protection impact assessment for any new online product that is
reasonably likely to be to accessed by children and maintain documentation of the data
protection impact assessment as long as the online product is reasonably likely to be accessed
by children;
new text end
new text begin
(2) review and modify all data protection impact assessments as necessary to account
for material changes to processing pertaining to the online product;
new text end
new text begin
(3) within five business days of a written request by the attorney general, provide to the
attorney general a list of all data protection impact assessments the business has completed;
new text end
new text begin
(4) within seven business days of a written request by the attorney general or by a date
otherwise specified by the attorney general, provide the attorney general with a copy of any
data protection impact assessment;
new text end
new text begin
(5) configure all default privacy settings provided to children by the online product to
settings that offer a high level of privacy, unless the business can demonstrate a compelling
reason that a different setting is in the best interests of children;
new text end
new text begin
(6) provide any privacy information, terms of service, policies, and community standards
concisely, prominently, and using clear language suited to the age of children reasonably
likely to access that online product; and
new text end
new text begin
(7) provide prominent, accessible, and responsive tools to help children or if applicable,
their parents or guardians, exercise their privacy rights and report concerns.
new text end
new text begin
(b) A business that provides an online product reasonably likely to be accessed by
children must prepare a data protection impact assessment for an online product that is
offered to the public on or before August 1, 2027, and will continue to be offered to the
public after that date, or that is initially offered to the public after August 1, 2027.
new text end
new text begin
(c) A data protection impact assessment must:
new text end
new text begin
(1) identify the purpose of the online product;
new text end
new text begin
(2) identify how the online product uses children's data;
new text end
new text begin
(3) determine whether the online product is designed in a manner consistent with the
best interests of children reasonably likely to access the online product through consideration
of:
new text end
new text begin
(i) whether algorithms used by the product, service, or feature would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation;
new text end
new text begin
(ii) whether the design or data processing practices of the online product could lead to
children experiencing or being targeted by contacts on the online product that would result
in reasonably foreseeable and material physical or financial harm to the child; reasonably
foreseeable and extreme psychological or emotional harm to the child; a highly offensive
intrusion on the reasonable privacy expectations of the child; or discrimination against the
child based upon race, color, religion, national origin, disability, sex, or sexual orientation;
new text end
new text begin
(iii) whether the design or data processing practices of the online product could permit
children to witness, participate in, or be subject to conduct on the online product that would
result in reasonably foreseeable and material physical or financial harm to the child;
reasonably foreseeable and extreme psychological or emotional harm to the child; a highly
offensive intrusion on the reasonable privacy expectations of the child; or discrimination
against the child based upon race, color, religion, national origin, disability, sex, or sexual
orientation;
new text end
new text begin
(iv) whether the design or data processing practices of the online product are reasonably
expected to allow children to be party to or exploited by a contract on the online product
that would result in reasonably foreseeable and material physical or financial harm to the
child; reasonably foreseeable and extreme psychological or emotional harm to the child; a
highly offensive intrusion on the reasonable privacy expectations of the child; or
discrimination against the child based upon race, color, religion, national origin, disability,
sex, or sexual orientation;
new text end
new text begin
(v) whether the online product uses system design features to increase, sustain, or extend
use of the online product by children, including the automatic playing of media, rewards
for time spent, and notifications that would result in reasonably foreseeable and material
physical or financial harm to the child; reasonably foreseeable and extreme psychological
or emotional harm to the child; a highly offensive intrusion on the reasonable privacy
expectations of the child; or discrimination against the child based upon race, color, religion,
national origin, disability, sex, or sexual orientation;
new text end
new text begin
(vi) whether, how, and for what purpose the online product, service, or feature collects
or processes personal data of children and whether those practices would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation;
new text end
new text begin
(vii) whether and how product experimentation results for the online product, service,
or feature reveal data management or design practices that would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation; and
new text end
new text begin
(viii) any other factor that may indicate that the online product is designed in a manner
that is inconsistent with the best interests of children; and
new text end
new text begin
(4) include a description of steps that the business has taken and will take to act in a
manner consistent with the best interests of children.
new text end
new text begin
(d) A data protection impact assessment conducted by a business for the purpose of
compliance with any other law complies with this section if the data protection impact
assessment meets the requirement of this chapter.
new text end
new text begin
(e) A single data protection impact assessment may contain multiple similar processing
operations that present similar risk only if each relevant online product is addressed.
new text end
new text begin Subd. 2. new text end
new text begin Prohibition on businesses. new text end
new text begin
(a) A business that provides an online product
reasonably likely to be accessed by children must not:
new text end
new text begin
(1) process the personal data of any child in a way that is inconsistent with the best
interests of children reasonably likely to access the online product;
new text end
new text begin
(2) profile a child by default unless both of the following criteria are met:
new text end
new text begin
(i) the business can demonstrate it has appropriate safeguards in place to ensure that
profiling is consistent with the best interests of children reasonably likely to access the
online product; and
new text end
new text begin
(ii) either of the following is true:
new text end
new text begin
(A) profiling is necessary to provide the online product requested and only with respect
to the aspects of the online product with which a child is actively and knowingly engaged;
or
new text end
new text begin
(B) the business can demonstrate a compelling reason that profiling is in the best interests
of children;
new text end
new text begin
(3) process any personal data that is not reasonably necessary to provide an online product
with which a child is actively and knowingly engaged;
new text end
new text begin
(4) if the end user is a child, process personal data for any reason other than a reason
for which that personal data was collected;
new text end
new text begin
(5) process any specific geolocation data of children by default, unless the collection of
that specific geolocation data is strictly necessary for the business to provide the service,
product, or feature requested and then only for the limited time that the collection of specific
geolocation data is necessary to provide the service, product, or feature;
new text end
new text begin
(6) process any specific geolocation data of a child without providing an obvious sign
to the child for the duration of that collection that specific geolocation data is being collected;
new text end
new text begin
(7) use dark patterns to cause children to provide personal data beyond what is reasonably
expected to provide that online product to forego privacy protections, or to take any action
that the business knows, or has reason to know, is not in the best interests of children
reasonably likely to access the online product; or
new text end
new text begin
(8) allow a person other than a child's parent or guardian to monitor the child's online
activity without first notifying the child and the child's parent or guardian.
new text end
new text begin
(b) A business that provides an online product that is accessed or reasonably likely to
be accessed by children may allow a child's parent or guardian to monitor the child's online
activity or track the child's location without providing an obvious signal to the child when
the child is being monitored or tracked.
new text end
new text begin
(c) In determining whether an online product is reasonably likely to be accessed by
children, a business may not collect or process any personal data beyond what is reasonably
necessary to make the determination.
new text end
new text begin Subd. 3. new text end
new text begin Data practices. new text end
new text begin
(a) A data protection impact assessment collected or maintained
by the attorney general under subdivision 1 is classified as nonpublic data or private data
on individuals under section 13.02, subdivisions 9 and 12.
new text end
new text begin
(b) To the extent any information contained in a data protection impact assessment
disclosed to the attorney general includes information subject to attorney-client privilege
or work product protection, disclosure pursuant to this section does not constitute a waiver
of that privilege or protection.
new text end
Sec. 6.
new text begin
[325M.45] ATTORNEY GENERAL ENFORCEMENT.
new text end
new text begin
(a) A business that violates this chapter may be subject to an injunction and liable for a
civil penalty of not more than $2,500 per affected child for each negligent violation, or not
more than $7,500 per affected child for each intentional violation, which may be assessed
and recovered only in a civil action brought by the attorney general in accordance with
section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition
to penalties provided by this paragraph or other remedies provided by law, be allowed an
amount determined by the court to be the reasonable value of all or part of the state's litigation
expenses incurred.
new text end
new text begin
(b) Any penalties, fees, and expenses recovered in an action brought under this chapter
must be deposited in an account in the special revenue fund and are appropriated to the
attorney general to offset costs incurred by the attorney general in connection with
enforcement of this chapter.
new text end
new text begin
(c) If a business is in substantial compliance with this act and has fulfilled the
requirements of section 325M.44, subdivision 1, paragraph (a), clause (1), the attorney
general must, before initiating a civil action under this section, provide written notice to the
business identifying the specific provisions of this chapter that the attorney general alleges
have been or are being violated. If, within 90 days of receiving notice, the business cures
any noticed violation and provides the attorney general a written statement that the alleged
violations have been cured, and sufficient measures have been taken to prevent future
violations, the business is not liable for a civil penalty for any violation cured pursuant to
this section.
new text end
Sec. 7.
new text begin
[325M.46] LIMITATIONS.
new text end
new text begin
Nothing in this chapter shall be interpreted or construed to:
new text end
new text begin
(1) impose liability in a manner that is inconsistent with United States Code, title 47,
section 230;
new text end
new text begin
(2) provide a private right of action under this chapter, section 8.31, or any other law;
new text end
new text begin
(3) prevent or preclude any child from deliberately or independently searching for or
specifically requesting content;
new text end
new text begin
(4) require a business to implement age-gating or other technical protection methods to
prevent underage people from viewing a website or other content;
new text end
new text begin
(5) infringe on the existing rights and freedoms of children;
new text end
new text begin
(6) require a business to monitor or censor third-party content; or
new text end
new text begin
(7) discriminate against children on the basis of race, color, religion, national origin,
disability, gender identity, sex, or sexual orientation.
new text end