Subdivision 1.

Transparency obligations.

(a) Controllers must provide consumers with
a reasonably accessible, clear, and meaningful privacy notice that includes:

(1) the categories of personal data processed by the controller;

(2) the purposes for which the categories of personal data are processed;

(3) an explanation of the rights contained in section 325M.14 and how and where
consumers may exercise those rights, including how a consumer may appeal a controller's
action with regard to the consumer's request;

(4) the categories of personal data that the controller sells to or shares with third parties,
if any;

(5) the categories of third parties, if any, with whom the controller sells or shares personal
data;

(6) the controller's contact information, including an active email address or other online
mechanism that the consumer may use to contact the controller;

(7) a description of the controller's retention policies for personal data; and

(8) the date the privacy notice was last updated.

(b) If a controller sells personal data to third parties, processes personal data for targeted
advertising, or engages in profiling in furtherance of decisions that produce legal effects
concerning a consumer or similarly significant effects concerning a consumer, the controller
must disclose the processing in the privacy notice and provide access to a clear and
conspicuous method outside the privacy notice for a consumer to opt out of the sale,
processing, or profiling in furtherance of decisions that produce legal effects concerning a
consumer or similarly significant effects concerning a consumer. This method may include
but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your
Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web
page where the consumer can make the opt-out request.

(c) The privacy notice must be made available to the public in each language in which
the controller provides a product or service that is subject to the privacy notice or carries
out activities related to the product or service.

(d) The controller must provide the privacy notice in a manner that is reasonably
accessible to and usable by individuals with disabilities.

(e) Whenever a controller makes a material change to the controller's privacy notice or
practices, the controller must notify consumers affected by the material change with respect
to any prospectively collected personal data and provide a reasonable opportunity for
consumers to withdraw consent to any further materially different collection, processing,
or transfer of previously collected personal data under the changed policy. The controller
shall take all reasonable electronic measures to provide notification regarding material
changes to affected consumers, taking into account available technology and the nature of
the relationship.

(f) A controller is not required to provide a separate Minnesota-specific privacy notice
or section of a privacy notice if the controller's general privacy notice contains all the
information required by this section.

(g) The privacy notice must be posted online through a conspicuous hyperlink using the
word "privacy" on the controller's website home page or on a mobile application's app store
page or download page. A controller that maintains an application on a mobile or other
device shall also include a hyperlink to the privacy notice in the application's settings menu
or in a similarly conspicuous and accessible location. A controller that does not operate a
website shall make the privacy notice conspicuously available to consumers through a
medium regularly used by the controller to interact with consumers, including but not limited
to mail.

new text begin (h) If a controller sells personal data to third parties, processes personal data for targeted
advertising, or engages in profiling in furtherance of decisions that produce legal effects
concerning a consumer or similarly significant effects concerning a consumer, the controller's
privacy notice must be clearly and conspicuously titled as a "surveillance notice."
new text end