Minnesota Legislature
HF 1367
as introduced - 93rd Legislature (2023 - 2024) Posted on 03/06/2023 06:56pm
1.7 1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 2.32 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31
4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22
5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28
6.29 6.30 6.31 6.32 7.1 7.2 7.3 7.4
7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8
8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26
8.27 8.28 8.29 8.30 8.31 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29
10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14
10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12 11.13 11.14 11.15 11.16
11.17 11.18
A bill for an act
relating to consumer data privacy; giving various rights to consumers regarding
personal data; placing data transparency obligations on businesses; creating a
private right of action; providing for enforcement by the attorney general; proposing
coding for new law as Minnesota Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
new text begin
[325O.01] DEFINITIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Scope. new text end
new text begin
As used in this chapter, the terms defined in this section have the
meanings given.
new text end
new text begin Subd. 2. new text end
new text begin Business. new text end
new text begin
"Business" means an individual, corporation, business trust, estate,
trust, partnership, limited liability company, association, joint venture, or any other legal
or commercial entity that is organized or operated for the profit or financial benefit of the
business's shareholders or other owners.
new text end
new text begin Subd. 3. new text end
new text begin Business purpose. new text end
new text begin
"Business purpose" means the use of personal information
for a business's or a service provider's operational purposes, or other notified purposes,
provided that the use of personal information must be reasonably necessary and proportionate
to achieve the operational purpose for which the personal information was collected or
processed or for another operational purpose that is compatible with the context in which
the personal information was collected. Business purposes include but are not limited to:
new text end
new text begin
(1) auditing related to a current interaction with the consumer and concurrent transactions,
including but not limited to counting ad impressions to unique visitors, verifying positioning
and quality of ad impressions, and auditing compliance with this specification and other
standards;
new text end
new text begin
(2) detecting security incidents; protecting against malicious, deceptive, fraudulent, or
illegal activity; and prosecuting those responsible for that activity;
new text end
new text begin
(3) debugging to identify and repair errors that impair existing intended functionality;
new text end
new text begin
(4) short-term, transient use, provided the personal information is not disclosed to another
third party and is not used to build a profile about a consumer or otherwise alter an individual
consumer's experience outside the current interaction, including but not limited to the
contextual customization of ads shown as part of the same interaction;
new text end
new text begin
(5) performing services on behalf of the business or service provider, including
maintaining or servicing accounts, providing customer service, processing or fulfilling
orders and transactions, verifying customer information, processing payments, providing
financing, providing advertising or marketing services, providing analytic services, or
providing similar services on behalf of the business or service provider;
new text end
new text begin
(6) undertaking internal research for technological development and demonstration; and
new text end
new text begin
(7) undertaking activities to verify or maintain the quality or safety of a service or device
that is owned by, manufactured by, manufactured for, or controlled by the business.
new text end
new text begin Subd. 4. new text end
new text begin Collect. new text end
new text begin
"Collect" means buying, renting, gathering, obtaining, receiving, or
accessing any personal information pertaining to a consumer by any means. This includes
receiving information from the consumer, either actively or passively, or by observing the
consumer's behavior.
new text end
new text begin Subd. 5. new text end
new text begin Commercial purpose. new text end
new text begin
"Commercial purpose" means to advance a person's
commercial or economic interests, such as by inducing another person to buy, rent, lease,
join, subscribe to, provide, or exchange products, goods, property, information, or services
or enabling or effecting, directly or indirectly, a commercial transaction. Commercial purpose
does not include for the purpose of engaging in speech that state or federal courts have
recognized as noncommercial speech, including political speech and journalism.
new text end
new text begin Subd. 6. new text end
new text begin Consumer. new text end
new text begin
"Consumer" means a natural person who is a Minnesota resident.
new text end
new text begin Subd. 7. new text end
new text begin Disclose. new text end
new text begin
"Disclose" means releasing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means,
a consumer's personal information by the business to a service provider for a business
purpose. Disclose does not include sell.
new text end
new text begin Subd. 8. new text end
new text begin Personal Information. new text end
new text begin
"Personal information" means information that identifies,
relates to, describes, is capable of being associated with, or could reasonably be linked,
directly or indirectly, with a particular consumer. Personal information includes but is not
limited to:
new text end
new text begin
(1) identifiers such as a real name, alias, postal address, telephone number, unique
personal identifier, online identifier, Internet Protocol address, e-mail address, account
name, Social Security number, driver's license or state identification card number, passport
number, signature, or other similar identifiers;
new text end
new text begin
(2) financial information such as a bank account number, loan or mortgage information,
income, an insurance policy, credit card number, or debit card number;
new text end
new text begin
(3) physical characteristics or descriptions;
new text end
new text begin
(4) education, professional, or employment-related information;
new text end
new text begin
(5) sleep, health, exercise, fitness, medical, or health insurance information;
new text end
new text begin
(6) characteristics of protected classifications under chapter 363A or federal law;
new text end
new text begin
(7) commercial information, including records of personal property; products or services
purchased, obtained, or considered; or other purchasing or consuming histories or tendencies;
new text end
new text begin
(8) biometric information such as genetic information as defined by section 13.386;
information derived from the iris, retina, fingerprint, face, other parts or features of the
body, voice recordings, keystroke patterns or rhythms, or gait patterns or rhythms;
new text end
new text begin
(9) internet or other electronic network activity information, including but not limited
to browsing history, search history, and information regarding a consumer's interaction with
an Internet website, application, or advertisement; and
new text end
new text begin
(10) inferences drawn from any of the information identified in this subdivision to create
a profile about a consumer reflecting the consumer's preferences, characteristics, traits,
predispositions, behavior, attitudes, abilities, and aptitudes.
new text end
new text begin Subd. 9. new text end
new text begin Sell. new text end
new text begin
"Sell" means selling, renting, releasing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means,
a consumer's personal information by the business to a third party for a commercial purpose
or for any monetary or other valuable consideration. Sell does not include disclose.
new text end
new text begin Subd. 10. new text end
new text begin Service provider. new text end
new text begin
"Service provider" means a business to which another
business discloses a consumer's personal information.
new text end
new text begin Subd. 11. new text end
new text begin Third party. new text end
new text begin
"Third party" means a business to which another business sells
a consumer's personal information.
new text end
Sec. 2.
new text begin
[325O.03] SCOPE; EXCLUSIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Scope. new text end
new text begin
(a) A business is subject to this chapter if the business:
new text end
new text begin
(1) has annual gross revenues in excess of $25,000,000;
new text end
new text begin
(2) annually buys or sells the personal information of 50,000 or more individuals,
households, or devices; or
new text end
new text begin
(3) derives 50 percent or more of the business's annual revenues from selling personal
information.
new text end
new text begin
(b) A business is also subject to this chapter if the business:
new text end
new text begin
(1) controls or is controlled by a separate business that meets any of the criteria under
paragraph (a); and
new text end
new text begin
(2) shares common branding with that separate business.
new text end
new text begin
(c) For purposes of paragraph (b):
new text end
new text begin
(1) "controls" or "controlled" means:
new text end
new text begin
(i) ownership of, or the power to vote, more than 50 percent of the outstanding shares
of any class of voting security of a business;
new text end
new text begin
(ii) control in any manner over the election of a majority of the directors or of individuals
exercising similar functions; or
new text end
new text begin
(iii) the power to exercise a controlling influence over the management of a company;
and
new text end
new text begin
(2) "common branding" means a shared name, service mark, or trademark.
new text end
new text begin Subd. 2. new text end
new text begin Exclusions. new text end
new text begin
For purposes of this chapter, the following actions do not constitute
the sale of personal information by a business.
new text end
new text begin
(1) A consumer intentionally directs the business to disclose the consumer's personal
information or uses the business to intentionally interact with a third party, provided the
third party does not also sell the personal information. Intentional action by a consumer
must be active and deliberate. Hovering over, muting, pausing, or closing a given piece of
content does not constitute intentional action.
new text end
new text begin
(2) The business uses or shares an identifier for a consumer who has opted out of the
sale of the consumer's personal information for the purpose of alerting a third party or a
service provider that the consumer has opted out of the sale of the consumer's personal
information.
new text end
new text begin
(3) The business discloses with a service provider personal information of a consumer
that is necessary to perform a business purpose and the following conditions are met:
new text end
new text begin
(i) the business has provided notice pursuant to section 325O.04 that the information
may be disclosed;
new text end
new text begin
(ii) the service provider does not further collect, sell, disclose, or use the personal
information of the consumer except as necessary to perform the business purpose; and
new text end
new text begin
(iii) the contract between the business and the service provider prohibits the service
provider from retaining, using, or disclosing the personal information for any purpose other
than the specific purpose of performing the services specified in the contract for the business,
or as otherwise permitted by this chapter, including retaining, using, or disclosing the
personal information for a commercial purpose other than providing the service specified
in the contract with the businesses.
new text end
new text begin
(4) The business transfers to a third party the personal information of a consumer as an
asset in the context of a merger, acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the business. If the third party materially alters
how it uses or shares the personal information of a consumer in a manner that is materially
inconsistent with the terms and conditions agreed upon by the consumer at the time of
collection, the third party must provide the consumer prior notice of the new or changed
practice. The notice must be sufficiently prominent and robust to ensure that existing
consumers can easily exercise rights under this chapter. This paragraph does not authorize
a business to make material, retroactive privacy policy changes or make other changes in
the business's privacy policy in a manner that would constitute a deceptive trade practice.
new text end
Sec. 3.
new text begin
[325O.04] BUSINESS TRANSPARENCY OBLIGATIONS.
new text end
new text begin Subdivision 1. new text end
new text begin
Business obligations regarding collection and disclosure of personal
information to service providers.
new text end
new text begin
(a) A business that collects personal information about
a consumer must, at or before the point of collection, notify the consumer of:
new text end
new text begin
(1) the categories of personal information the business collects about the consumer;
new text end
new text begin
(2) the categories of sources from which the business collects the personal information;
new text end
new text begin
(3) for each category of personal information, the business or commercial purpose for
collecting the personal information;
new text end
new text begin
(4) for each category of personal information, the categories of service providers to
which the personal information may be disclosed and the business purpose for the disclosure;
new text end
new text begin
(5) the consumer's right to access personal information under section 325O.045; and
new text end
new text begin
(6) the consumer's right to deletion of personal information under section 325O.052.
new text end
new text begin
(b) A business must not collect additional categories of personal information, use personal
information collected for additional purposes, or disclose additional personal information
without providing the consumer with notice consistent with paragraph (a).
new text end
new text begin
(c) A business must make available to consumers two or more designated methods for
submitting a request to either access personal information pursuant to section 325O.045 or
to delete personal information pursuant to section 325O.052. Such methods must include
a toll-free telephone number and, if the business maintains a website, a clear and conspicuous
link on the business's home page that enables a consumer to make a request pursuant to
section 325O.045 or 325O.052.
new text end
new text begin Subd. 2. new text end
new text begin
Business obligations regarding sale of personal information to third
parties.
new text end
new text begin
(a) A business that sells a consumer's personal information to a third party must,
at or before the point of sale:
new text end
new text begin
(1) notify the consumer which categories of personal information may be sold;
new text end
new text begin
(2) for each category of personal information the may be sold, notify the consumer of
the categories of third parties to which the personal information may be sold and the
commercial purpose for the sale; and
new text end
new text begin
(3) inform the consumer of the consumer's right to opt out of the sale under section
325O.05.
new text end
new text begin
(b) A business must not sell additional categories of personal information without
providing the consumer with notice consistent with paragraph (a).
new text end
new text begin
(c) A business that sells a consumer's personal information must make available to
consumers two or more designated methods for submitting a request to opt out of the
information sale pursuant to section 325O.05. Such methods must include a toll-free
telephone number and, if the business maintains a website, a clear and conspicuous link on
the business's home page titled "Do Not Sell My Personal Information" that enables a
consumer to opt out of the sale of the consumer's personal information.
new text end
Sec. 4.
new text begin
[325O.042] THIRD PARTY AND SERVICE PROVIDER OBLIGATIONS.
new text end
new text begin
(a) A third party must not sell personal information about a consumer that has been sold
to the third party by a business unless the consumer has received explicit notice and is
provided an opportunity to exercise the right to opt-out pursuant to section 325O.05.
new text end
new text begin
(b) A service provider to which a business discloses personal information of a consumer
for a business purpose must not further retain, sell, disclose, or use the personal information
except as necessary to perform the business purpose specified in the service provider's
contract with the business or as otherwise permitted by law.
new text end
Sec. 5.
new text begin
[325O.045] RIGHT TO ACCESS PERSONAL INFORMATION.
new text end
new text begin
(a) A consumer may at any time request that a business that collects a consumer's personal
information give the consumer access to the consumer's personal information collected by
the business, including:
new text end
new text begin
(1) the categories of personal information the business has collected about that consumer;
new text end
new text begin
(2) the categories of sources from which the business collects the personal information;
new text end
new text begin
(3) the specific pieces of personal information the business has collected about that
consumer;
new text end
new text begin
(4) for each category of personal information, the business or commercial purpose for
collecting the personal information;
new text end
new text begin
(5) for each category of personal information, the categories of service providers, if any,
to which the business discloses the personal information along with the business purpose
for the disclosure; and
new text end
new text begin
(6) for each category of personal information, the categories of third parties, if any, to
which the business sells the personal information along with the commercial purpose for
the sale.
new text end
new text begin
(b) A business must not require a consumer to create an account in order to make a
request under this section, but a business may require authentication of the consumer's
identity and the request. A business may require that the consumer make the request to
access the consumer's personal information through a designated method required by section
325O.04, subdivision 1, paragraph (c).
new text end
new text begin
(c) A business that receives a request from a consumer to access personal information
shall promptly take steps to disclose and deliver, free of charge to the consumer, the personal
information required by paragraph (a) within 45 days of receiving the consumer request.
The time period to provide the required information may be extended once by an additional
45 days when reasonably necessary, provided the consumer is notified of the extension
within the first 45-day period. The information may be delivered by mail or electronically,
and, if provided electronically, the information shall be in a portable and, to the extent
technically feasible, readily useable format that allows the consumer to transmit this
information to another entity without hindrance. A business shall not be required to provide
personal information to a consumer more than twice in a 12-month period.
new text end
new text begin
(d) This section shall not require a business to:
new text end
new text begin
(1) retain any personal information collected for a single, one-time transaction, if such
information is not sold or retained by the business; or
new text end
new text begin
(2) reidentify or otherwise link information that is not maintained in a manner that would
be considered personal information.
new text end
Sec. 6.
new text begin
[325O.05] RIGHT TO OPT OUT OF INFORMATION SALE.
new text end
new text begin
(a) A consumer may, at any time, direct a business that sells personal information about
the consumer to a third party not to sell the consumer's personal information. This may be
referred to as the right to opt out. A business must not require a consumer to create an
account in order to make a request under this section, but a business may require
authentication of the consumer's identity and the request. A business may require that the
consumer make the request through a designated method required by section 325O.04,
subdivision 2, paragraph (c).
new text end
new text begin
(b) Notwithstanding paragraph (a), a business must not sell the personal information of
a consumer if the business has actual knowledge that the consumer is less than 16 years of
age, unless the consumer, in the case of a consumer between 13 and 16 years of age, or the
consumer's parent or guardian, in the case of consumers who are less than 13 years of age,
has affirmatively authorized the sale of the consumer's personal information. A business
that willfully disregards the consumer's age shall be deemed to have had actual knowledge
of the consumer's age. This may be referred to as the minor's right to opt in.
new text end
new text begin
(c) A business that receives a request from a consumer not to sell a consumer's personal
information pursuant to paragraph (a), or that has not received an authorization for a
consumer pursuant to paragraph (b), must not sell that consumer's personal information.
new text end
Sec. 7.
new text begin
[325O.052] RIGHT TO DELETION OF PERSONAL INFORMATION.
new text end
new text begin Subdivision 1. new text end
new text begin Right granted. new text end
new text begin
(a) A consumer may request that a business delete any
personal information about the consumer which the business has collected from the consumer.
A business must not require a consumer to create an account in order to make a request
under this section, but a business may require authentication of the consumer's identity and
the request. A business may require that the consumer make the request through a designated
method required by section 325O.04, subdivision 1, paragraph (c).
new text end
new text begin
(b) A business that receives a request from a consumer to delete the consumer's personal
information pursuant to paragraph (a) shall delete the consumer's personal information from
the business's records and direct any service provider to delete the consumer's personal
information from the service provider's records.
new text end
new text begin Subd. 2. new text end
new text begin Exceptions provided. new text end
new text begin
A business or a service provider shall not be required
to comply with a consumer's request to delete the consumer's personal information if it is
necessary for the business or service provider to maintain the consumer's personal information
in order to:
new text end
new text begin
(1) complete the transaction for which the personal information was collected, fulfill
the terms of a written warranty or product recall conducted in accordance with federal law,
provide a good or service requested by the consumer or reasonably anticipated within the
context of a business's ongoing business relationship with the consumer, or otherwise
perform a contract between the business and the consumer;
new text end
new text begin
(2) detect security incidents; protect against malicious, deceptive, fraudulent, or illegal
activity; or prosecute those responsible for that activity;
new text end
new text begin
(3) debug to identify and repair errors that impair existing intended functionality;
new text end
new text begin
(4) exercise free speech, ensure the right of another consumer to exercise that consumer's
right of free speech, or exercise another right provided for by law;
new text end
new text begin
(5) engage in public or peer-reviewed scientific, historical, or statistical research in the
public interest that adheres to all other applicable ethics and privacy laws, when the business's
deletion of the information is likely to render impossible or seriously impair the achievement
of such research, if the consumer has provided informed consent;
new text end
new text begin
(6) to enable solely internal uses that are reasonably aligned with the expectations of
the consumer based on the consumer's relationship with the business;
new text end
new text begin
(7) comply with a legal obligation; or
new text end
new text begin
(8) otherwise use the consumer's personal information, internally, in a lawful manner
that is compatible with the context in which the consumer provided the information.
new text end
Sec. 8.
new text begin
[325O.07] DISCRIMINATION PROHIBITED.
new text end
new text begin
(a) A business must not discriminate against a consumer because the consumer exercised
any of the consumer's rights under this chapter. Discrimination prohibited by this section
includes but is not limited to:
new text end
new text begin
(1) denying goods or services to the consumer;
new text end
new text begin
(2) charging a different price or rate for goods or services, including imposing penalties
or through the use of discounts, financial incentives, or other benefits;
new text end
new text begin
(3) providing a different level or quality of goods or services to the consumer; or
new text end
new text begin
(4) the suggestion that a consumer will be subject to such discrimination if the consumer
exercises any of the consumer's rights under this chapter.
new text end
new text begin
(b) Nothing in this section prohibits a business from charging a consumer a different
price or rate for goods or services, or providing a different level or quality of goods or
services to a consumer, if the difference is reasonably related to the value provided to the
business by sale of the consumer's data.
new text end
Sec. 9.
new text begin
[325O.09] ENFORCEMENT; LIABILITY.
new text end
new text begin Subdivision 1. new text end
new text begin Enforcement. new text end
new text begin
(a) The attorney general may bring an action to enforce
a provision of this chapter in accordance with section 8.31. If the state prevails in an action
to enforce this chapter, the state, in addition to penalties provided by paragraph (b) or other
remedies provided by law, may be allowed an amount determined by the court to be the
reasonable value of all or part of the state's litigation expenses incurred.
new text end
new text begin
(b) In addition to other remedies provided by law, any person injured by a violation of
this chapter may bring a civil action to receive or recover:
new text end
new text begin
(1) damages not less than $100 and not more than $750 per consumer, per violation, or
the consumer's actual damages, whichever is greater;
new text end
new text begin
(2) the costs of investigation and reasonable attorney fees;
new text end
new text begin
(3) other equitable relief as determined by the court; and
new text end
new text begin
(4) in the case of a willful and malicious violation, exemplary damages in an amount
not exceeding three times other damages awarded.
new text end
new text begin
(c) In assessing the amount of damages under paragraph (b), clause (1), the court shall
consider any one the relevant circumstances presented by any of the parties to the case,
including but not limited to:
new text end
new text begin
(1) the nature and seriousness of the misconduct;
new text end
new text begin
(2) the number of violations;
new text end
new text begin
(3) the persistence of the misconduct;
new text end
new text begin
(4) the length of time over which the misconduct occurred;
new text end
new text begin
(5) the willfulness of the defendant's misconduct; and
new text end
new text begin
(6) the defendant's assets, liabilities, and net worth.
new text end
new text begin
(e) Any provision of a contract or agreement of any kind that purports to waive or limit
a business's compliance or a consumer's rights under this chapter is contrary to public policy
and is void and unenforceable.
new text end
new text begin Subd. 2. new text end
new text begin Liability. new text end
new text begin
(a) A business, service provider, or third party that violates this
chapter shall be liable for the violation.
new text end
new text begin
(b) A businesses that discloses a consumer's personal information to a service provider
or third party without violating this chapter shall not be liable for any subsequent violation
by the service provider or third party, provided that, at the time of disclosing the personal
information, the business did not have actual knowledge, or reason to believe, that the
service provider or third party intended to commit the violation.
new text end
Sec. 10. new text begin EFFECTIVE DATE.
new text end
new text begin
Sections 1 to 9 are effective June 30, 2024.
new text end