1st Engrossment - 93rd Legislature (2023 - 2024) Posted on 04/24/2024 02:12pm
A bill for an act
relating to commerce; modifying fees assessed by the Department of Commerce;
modifying appropriations to the Office of Cannabis Management; modifying
provisions governing cannabis and health responsibilities; modifying insurance
assessments and fees; giving various rights to consumers regarding personal data;
placing obligations on certain businesses regarding consumer data; providing for
enforcement by the attorney general; requiring reports; making technical changes;
amending Minnesota Statutes 2022, sections 45.0135, subdivision 7; 62Q.73,
subdivision 3; Minnesota Statutes 2023 Supplement, sections 144.197; 342.15, by
adding a subdivision; 342.72; Laws 2023, chapter 63, article 9, sections 10; 19;
20; proposing coding for new law in Minnesota Statutes, chapter 13; proposing
coding for new law as Minnesota Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1. new text begin APPROPRIATIONS.
|
new text begin
The sums shown in the columns marked "Appropriations" are added to or, if shown in
parentheses, subtracted from the appropriations in Laws 2023, chapter 63, article 9, to the
agencies and for the purposes specified in this article. The appropriations are from the
general fund, or another named fund, and are available for the fiscal years indicated for
each purpose. The figures "2024" and "2025" used in this article mean that the addition to
or subtraction from the appropriation listed under them is available for the fiscal year ending
June 30, 2024, or June 30, 2025, respectively. "The first year" is fiscal year 2024. "The
second year" is fiscal year 2025. Supplemental appropriations and reductions to
appropriations for the fiscal year ending June 30, 2024, are effective the day following final
enactment.
new text end
new text begin
APPROPRIATIONS new text end |
||||||
new text begin
Available for the Year new text end |
||||||
new text begin
Ending June 30 new text end |
||||||
new text begin
2024 new text end |
new text begin
2025 new text end |
Sec. 2. new text begin OFFICE OF CANNABIS
|
new text begin
$ new text end |
new text begin
-0- new text end |
new text begin
$ new text end |
new text begin
2,727,000 new text end |
new text begin
(a) Enforcement of Temporary Regulations
new text end
new text begin
$1,107,000 in fiscal year 2025 is for regulation
of products subject to the requirements of
Minnesota Statutes, section 151.72. This is a
onetime appropriation.
new text end
new text begin
(b) Product Testing
new text end
new text begin
$771,000 in fiscal year 2025 is for testing
products regulated under Minnesota Statutes,
section 151.72, and chapter 342. The base for
this appropriation is $690,000 in fiscal year
2026 and each year thereafter.
new text end
new text begin
(c) Reference Laboratory
new text end
new text begin
$849,000 in fiscal year 2025 is to operate a
state reference laboratory. The base for this
appropriation is $632,000 in fiscal year 2026
and $696,000 in fiscal year 2027.
new text end
Sec. 3. new text begin DEPARTMENT OF HEALTH
|
new text begin
$ new text end |
new text begin
-0- new text end |
new text begin
$ new text end |
new text begin
5,500,000 new text end |
new text begin
$5,500,000 in fiscal year 2025 is for the
purposes outlined in Minnesota Statutes,
section 342.72.
new text end
new text begin
The general fund appropriation base for the attorney general is increased by $988,000
in fiscal year 2026 and $748,000 in fiscal year 2027 for staffing and other costs related to
potential violations, compliance monitoring, and enforcement of the Minnesota Consumer
Data Privacy Act.
new text end
Laws 2023, chapter 63, article 9, section 10, is amended to read:
Sec. 10. HEALTH
|
Subdivision 1.Total Appropriation
|
$ |
3,300,000 |
$ |
deleted text begin
20,252,000
deleted text end
new text begin
17,525,000 new text end |
The base for this appropriation is deleted text begin $19,064,000deleted text end new text begin
$17,742,000new text end in fiscal year 2026 and deleted text begin each fiscal
year thereafterdeleted text end new text begin $17,678,000 in fiscal year
2027new text end .
The amounts that may be spent for each
purpose are specified in the following
subdivisions.
Subd. 2.Youth new text begin Prevention and new text end Educationnew text begin
|
-0- |
deleted text begin
5,000,000
deleted text end
new text begin
4,363,000 new text end |
For new text begin administration and new text end grants under Minnesota
Statutes, section 144.197, subdivision 1.new text begin Of
the amount appropriated, $2,863,000 is for
program operations and administration and
$1,500,000 is for grants. The base for this
appropriation is $4,534,000 in fiscal year 2026
and $4,470,000 in fiscal year 2027.
new text end
Subd. 3.new text begin Prevention and new text end Education deleted text begin Grantsdeleted text end for
|
-0- |
deleted text begin
2,000,000
deleted text end
new text begin
1,788,000 new text end |
For deleted text begin grants underdeleted text end new text begin a coordinated prevention and
education program for pregnant and
breastfeeding individuals undernew text end Minnesota
Statutes, section 144.197, subdivision 2.new text begin The
base for this appropriation is $1,834,000
beginning in fiscal year 2026.
new text end
Subd. 4.Local and Tribal Health Departments
|
-0- |
10,000,000 |
For new text begin administration and new text end grants under Minnesota
Statutes, section 144.197, subdivision 4.new text begin Of
the amount appropriated, $1,094,000 is for
administration and $8,906,000 is for grants.
new text end
Subd. 5.Cannabis Data Collection and Biennial
|
493,000 |
493,000 |
For reports under Minnesota Statutes, section
144.196.
Subd. 6.Administration for Expungement
|
71,000 |
71,000 |
For administration related to orders issued by
the Cannabis Expungement Board. The base
for this appropriation is $71,000 in fiscal year
2026, $71,000 in fiscal year 2027, $71,000 in
fiscal year 2028, $71,000 in fiscal year 2029,
and $0 in fiscal year 2030.
Subd. 7.Grants to the Minnesota Poison Control
|
910,000 |
810,000 |
For new text begin administration and new text end grants under Minnesota
Statutes, section 145.93.new text begin Of the amount
appropriated in fiscal year 2025, $15,000 is
for administration and $795,000 is for grants.
new text end
Subd. 8.Temporary Regulation of Edible
|
1,107,000 |
deleted text begin
1,107,000
deleted text end
new text begin
-0- new text end |
For temporary regulation under the health
enforcement consolidation act of edible
products extracted from hemp. new text begin The
commissioner may transfer encumbrances and
unobligated amounts to the Office of Cannabis
Management for this purpose. new text end This is a
onetime appropriation.
Subd. 9.Testingdeleted text begin .
|
719,000 |
deleted text begin
771,000
deleted text end
new text begin
-0- new text end |
For testing of edible cannabinoid products.
deleted text begin The base for this appropriation is $690,000 in
fiscal year 2026 and each fiscal year thereafter.deleted text end new text begin
The commissioner may transfer encumbrances
and unobligated amounts to the Office of
Cannabis Management for this purpose.
new text end
Laws 2023, chapter 63, article 9, section 19, is amended to read:
deleted text begin (a)deleted text end The commissioner of management and budget must reduce general fund appropriations
to the commissioner of corrections by $165,000 in fiscal year 2024 and $368,000 in fiscal
year 2025. The commissioner must reduce the base for general fund appropriations to the
commissioner of corrections by $460,000 in fiscal year 2026 and $503,000 in fiscal year
2027.
deleted text begin
(b) The commissioner of management and budget must reduce general fund appropriations
to the commissioner of health by $260,000 in fiscal year 2025 for the administration of the
medical cannabis program. The commissioner must reduce the base for general fund
appropriations to the commissioner of health by $781,000 in fiscal year 2026 and each fiscal
year thereafter.
deleted text end
deleted text begin
(c) The commissioner of management and budget must reduce state government special
revenue fund appropriations to the commissioner of health by $1,141,000 in fiscal year
2025 for the administration of the medical cannabis program. The commissioner must reduce
the base for state government special revenue fund appropriations to the commissioner of
health by $3,424,000 in fiscal year 2026 and each fiscal year thereafter.
deleted text end
Laws 2023, chapter 63, article 9, section 20, is amended to read:
deleted text begin (a)deleted text end $1,000,000 in fiscal year 2024 and $1,000,000 in fiscal year 2025 are transferred
from the general fund to the dual training account in the special revenue fund under
Minnesota Statutes, section 136A.246, subdivision 10, for grants to employers in the legal
cannabis industry. The base for this transfer is $1,000,000 in fiscal year 2026 and each fiscal
year thereafter. The commissioner may use up to six percent of the amount transferred for
administrative costs. The commissioner shall give priority to applications from employers
who are, or who are training employees who are, eligible to be social equity applicants
under Minnesota Statutes, section 342.17. After June 30, 2025, any unencumbered balance
from this transfer may be used for grants to any eligible employer under Minnesota Statutes,
section 136A.246.
deleted text begin
(b) $5,500,000 in fiscal year 2024 and $5,500,000 in fiscal year 2025 are transferred
from the general fund to the substance use treatment, recovery, and prevention grant account
established under Minnesota Statutes, section 342.72. The base for this transfer is $5,500,000
in fiscal year 2026 and each fiscal year thereafter.
deleted text end
new text begin
This section is effective the day following final enactment.
new text end
Minnesota Statutes 2023 Supplement, section 144.197, is amended to read:
The commissioner of health,
in consultation with the commissioners of human services and education and in collaboration
with local health departmentsnew text begin and Tribal health departmentsnew text end , shall conduct a long-term,
coordinated deleted text begin educationdeleted text end program to raise public awareness about deleted text begin and address the top threedeleted text end new text begin
substance misuse prevention, treatment options, and recovery options. The program must
addressnew text end adverse health effectsdeleted text begin , as determined by the commissioner,deleted text end associated with the use
of cannabis flower, cannabis products, lower-potency hemp edibles, or hemp-derived
consumer products by persons under age 25. In conducting this education program, the
commissioner shall engage and consult with youth around the state on program content and
on methods to effectively disseminate program information to youth around the state.
The commissioner of health,
in consultation with the commissioners of human services and education, shall conduct a
long-term, coordinated new text begin prevention new text end program deleted text begin to educatedeleted text end new text begin focused on (1) preventing substance
use bynew text end pregnant individuals, breastfeeding individuals, and individuals who may become
pregnantnew text begin , and (2) raising public awareness of the risks of substance use while pregnant or
breastfeeding. The program must include educationnew text end on the adverse health effects of prenatal
exposure to cannabis flower, cannabis products, lower-potency hemp edibles, or
hemp-derived consumer products and on the adverse health effects experienced by infants
and children who are exposed to cannabis flower, cannabis products, lower-potency hemp
edibles, or hemp-derived consumer products in breast milk, from secondhand smoke, or by
ingesting cannabinoid products. deleted text begin Thisdeleted text end new text begin The prevention and new text end education program must also
educate individuals on what constitutes a substance use disorder, signs of a substance use
disorder, and treatment options for persons with a substance use disorder.new text begin The prevention
and education program must also provide resources, including training resources, technical
assistance, or educational materials, to local public health home visiting programs, Tribal
home visiting programs, and child welfare workers.
new text end
deleted text begin
The commissioner of health shall provide training,
technical assistance, and education materials to local public health home visiting programs
and Tribal home visiting programs and child welfare workers regarding the safe and unsafe
use of cannabis flower, cannabis products, lower-potency hemp edibles, or hemp-derived
consumer products in homes with infants and young children. Training, technical assistance,
and education materials shall address substance use, the signs of a substance use disorder,
treatment options for persons with a substance use disorder, the dangers of driving under
the influence of cannabis flower, cannabis products, lower-potency hemp edibles, or
hemp-derived consumer products, how to safely consume cannabis flower, cannabis products,
lower-potency hemp edibles, or hemp-derived consumer products in homes with infants
and young children, and how to prevent infants and young children from being exposed to
cannabis flower, cannabis products, lower-potency hemp edibles, or hemp-derived consumer
products by ingesting cannabinoid products or through secondhand smoke.
deleted text end
The commissioner of health shall
distribute grants to local health departments and Tribal health departments for deleted text begin thesedeleted text end new text begin thenew text end
departments to create deleted text begin and disseminate educational materials on cannabis flower, cannabis
products, lower-potency hemp edibles, and hemp-derived consumer products and to provide
safe use and prevention training, education, technical assistance, and community engagement
regarding cannabis flower, cannabis products, lower-potency hemp edibles, and hemp-derived
consumer products.deleted text end new text begin prevention, education, and recovery programs focusing on substance
misuse prevention and treatment options. The programs may include specific cannabis-related
initiatives.
new text end
Minnesota Statutes 2023 Supplement, section 342.15, is amended by adding a
subdivision to read:
new text begin
A cannabis business background check account is
established as a separate account in the special revenue fund. All fees received by the office
under subdivision 1 must be deposited in the account and are appropriated to the office to
pay for the criminal records checks conducted by the Bureau of Criminal Apprehension and
Federal Bureau of Investigation.
new text end
Minnesota Statutes 2023 Supplement, section 342.72, is amended to read:
A substance use
treatment, recovery, and prevention grant deleted text begin accountdeleted text end new text begin programnew text end is deleted text begin created in the special revenue
funddeleted text end new text begin established and must be administered by the commissioner of healthnew text end . deleted text begin Money in the
account, including interest earned, is appropriated to the office for the purposes specified
in this section. Of the amount transferred from the general fund to the account, the office
may use up to five percent for administrative expenses.
deleted text end
deleted text begin
Notwithstanding sections 16A.013 to 16A.016,
the office may accept money contributed by individuals and may apply for grants from
charitable foundations to be used for the purposes identified in this section. The money
accepted under this section must be deposited in the substance use treatment, recovery, and
prevention grant account created under subdivision 1.
deleted text end
(a) deleted text begin Money in thedeleted text end Substance use treatment,
recovery, and prevention deleted text begin grant accountdeleted text end new text begin grantsnew text end must be distributed as follows:
(1) at least 75 percent of the money is for grants for substance use disorder and mental
health recovery and prevention programs. Funds must be used for recovery and prevention
activities and supplies that assist individuals and families to initiate, stabilize, and maintain
long-term recovery from substance use disorders and co-occurring mental health conditions.
Recovery and prevention activities may include prevention education, school-linked
behavioral health, school-based peer programs, peer supports, self-care and wellness,
culturally specific healing, community public awareness, mutual aid networks, telephone
recovery checkups, mental health warmlines, harm reduction, recovery community
organization development, first episode psychosis programs, and recovery housing; and
(2) up to 25 percent of the money is for substance use disorder treatment programs as
defined in chapter 245G and may be used to implement, strengthen, or expand supportive
services and activities that are not covered by medical assistance under chapter 256B,
MinnesotaCare under chapter 256L, or the behavioral health fund under chapter 254B.
Services and activities may include adoption or expansion of evidence-based practices;
competency-based training; continuing education; culturally specific and culturally responsive
services; sober recreational activities; developing referral relationships; family preservation
and healing; and start-up or capacity funding for programs that specialize in adolescent,
culturally specific, culturally responsive, disability-specific, co-occurring disorder, or family
treatment services.
(b) The deleted text begin officedeleted text end new text begin commissioner of healthnew text end shall consult with the Governor's Advisory Council
on Opioids, Substance Use, and Addiction; the commissioner of human services; and deleted text begin the
commissioner of healthdeleted text end new text begin the Office of Cannabis Managementnew text end to develop an appropriate
application process, establish grant requirements, determine what organizations are eligible
to receive grants, and establish reporting requirements for grant recipients.
By January 15deleted text begin , 2024, anddeleted text end each deleted text begin January 15deleted text end deleted text begin thereafterdeleted text end new text begin
yearnew text end , the deleted text begin officedeleted text end new text begin commissioner of healthnew text end must submit a report to the chairs and ranking
minority members of the committees of the house of representatives and the senate having
jurisdiction over health and human services policy and finance that details deleted text begin grants awarded
fromdeleted text end the substance use treatment, recovery, and prevention deleted text begin grant accountdeleted text end new text begin grants awardednew text end ,
including the total amount awarded, total number of recipients, and geographic distribution
of those recipients.new text begin Notwithstanding section 144.05, subdivision 7, the reporting requirement
under this subdivision does not expire.
new text end
new text begin
By January 30, 2025, the commissioner of commerce must report to the chairs and
ranking minority members of the legislative committees with jurisdiction over commerce,
health, and human services, regarding the balance of the premium security plan account
under Minnesota Statutes, section 62E.25, subdivision 1, the estimated cost to continue the
premium security plan, and the plan's future interactions with public health programs. The
report must include an assessment of potential alternatives that would be available upon
expiration of the current waiver.
new text end
Minnesota Statutes 2022, section 45.0135, subdivision 7, is amended to read:
Each insurer authorized to sell insurance in the state of Minnesota,
including surplus lines carriers, and having Minnesota earned premium the previous calendar
year shall remit an assessment to the commissioner for deposit in the insurance fraud
prevention account on or before June 1 of each year. The amount of the assessment shall
be based on the insurer's total assets and on the insurer's total written Minnesota premium,
for the preceding fiscal year, as reported pursuant to section 60A.13. deleted text begin The assessment is
calculated to be an amount up to the followingdeleted text end new text begin Beginning with the payment due on or before
June 1, 2024, the assessment amount isnew text end :
Total Assets |
Assessment |
|||
Less than $100,000,000 |
$ |
deleted text begin
200
deleted text end
new text begin
400 new text end |
||
$100,000,000 to $1,000,000,000 |
$ |
deleted text begin
750
deleted text end
new text begin
1,500 new text end |
||
Over $1,000,000,000 |
$ |
deleted text begin
2,000 deleted text end new text begin 4,000 new text end |
||
Minnesota Written Premium |
Assessment |
|||
Less than $10,000,000 |
$ |
deleted text begin
200
deleted text end
new text begin
400 new text end |
||
$10,000,000 to $100,000,000 |
$ |
deleted text begin
750
deleted text end
new text begin
1,500 new text end |
||
Over $100,000,000 |
$ |
deleted text begin
2,000
deleted text end
new text begin
4,000 new text end |
For purposes of this subdivision, the following entities are not considered to be insurers
authorized to sell insurance in the state of Minnesota: risk retention groups; or township
mutuals organized under chapter 67A.
new text begin
This section is effective the day following final enactment.
new text end
Minnesota Statutes 2022, section 62Q.73, subdivision 3, is amended to read:
(a) Any enrollee or anyone acting on behalf of an
enrollee who has received an adverse determination may submit a written request for an
external review of the adverse determination, if applicable under section 62Q.68, subdivision
1, or 62M.06, to the commissioner of health if the request involves a health plan company
regulated by that commissioner or to the commissioner of commerce if the request involves
a health plan company regulated by that commissioner. Notification of the enrollee's right
to external review must accompany the denial issued by the insurer. deleted text begin The written request
must be accompanied by a filing fee of $25. The fee may be waived by the commissioner
of health or commerce in cases of financial hardship and must be refunded if the adverse
determination is completely reversed. No enrollee may be subject to filing fees totaling
more than $75 during a plan year for group coverage or policy year for individual coverage.
deleted text end
(b) Nothing in this section requires the commissioner of health or commerce to
independently investigate an adverse determination referred for independent external review.
(c) If an enrollee requests an external review, the health plan company must participate
in the external review. The cost of the external review deleted text begin in excess of the filing fee described
in paragraph (a) shalldeleted text end new text begin mustnew text end be borne by the health plan company.
(d) The enrollee must request external review within six months from the date of the
adverse determination.
new text begin
The section referred to in this section is codified outside this
chapter. Those sections classify attorney general data as other than public, place restrictions
on access to government data, or involve data sharing.
new text end
new text begin
A data privacy and protection
assessment collected or maintained by the attorney general is classified under section
325O.08.
new text end
new text begin
This chapter may be cited as the "Minnesota Consumer Data Privacy Act."
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with another legal entity. For purposes of this paragraph, "control" or "controlled"
means: ownership of or the power to vote more than 50 percent of the outstanding shares
of any class of voting security of a company; control in any manner over the election of a
majority of the directors or of individuals exercising similar functions; or the power to
exercise a controlling influence over the management of a company.
new text end
new text begin
(c) "Authenticate" means to use reasonable means to determine that a request to exercise
any of the rights under section 325O.05, subdivision 1, paragraphs (b) to (h), is being made
by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect
to the personal data at issue.
new text end
new text begin
(d) "Biometric data" means data generated by automatic measurements of an individual's
biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other
unique biological patterns or characteristics that are used to identify a specific individual.
Biometric data does not include:
new text end
new text begin
(1) a digital or physical photograph;
new text end
new text begin
(2) an audio or video recording; or
new text end
new text begin
(3) any data generated from a digital or physical photograph, or an audio or video
recording, unless the data is generated to identify a specific individual.
new text end
new text begin
(e) "Child" has the meaning given in United States Code, title 15, section 6501.
new text end
new text begin
(f) "Consent" means any freely given, specific, informed, and unambiguous indication
of the consumer's wishes by which the consumer signifies agreement to the processing of
personal data relating to the consumer. Acceptance of a general or broad terms of use or
similar document that contains descriptions of personal data processing along with other,
unrelated information does not constitute consent. Hovering over, muting, pausing, or closing
a given piece of content does not constitute consent. A consent is not valid when the
consumer's indication has been obtained by a dark pattern. A consumer may revoke consent
previously given, consistent with this chapter.
new text end
new text begin
(g) "Consumer" means a natural person who is a Minnesota resident acting only in an
individual or household context. Consumer does not include a natural person acting in a
commercial or employment context.
new text end
new text begin
(h) "Controller" means the natural or legal person who, alone or jointly with others,
determines the purposes and means of the processing of personal data.
new text end
new text begin
(i) "Decisions that produce legal or similarly significant effects concerning the consumer"
means decisions made by the controller that result in the provision or denial by the controller
of financial or lending services, housing, insurance, education enrollment or opportunity,
criminal justice, employment opportunities, health care services, or access to essential goods
or services.
new text end
new text begin
(j) "Dark pattern" means a user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision making, or choice.
new text end
new text begin
(k) "Deidentified data" means data that cannot reasonably be used to infer information
about or otherwise be linked to an identified or identifiable natural person or a device linked
to an identified or identifiable natural person, provided that the controller that possesses the
data:
new text end
new text begin
(1) takes reasonable measures to ensure that the data cannot be associated with a natural
person;
new text end
new text begin
(2) publicly commits to process the data only in a deidentified fashion and not attempt
to reidentify the data; and
new text end
new text begin
(3) contractually obligates any recipients of the information to comply with all provisions
of this paragraph.
new text end
new text begin
(l) "Delete" means to remove or destroy information so that it is not maintained in human-
or machine-readable form and cannot be retrieved or utilized in the ordinary course of
business.
new text end
new text begin
(m) "Genetic information" has the meaning given in section 13.386, subdivision 1.
new text end
new text begin
(n) "Identified or identifiable natural person" means a person who can be readily
identified, directly or indirectly.
new text end
new text begin
(o) "Known child" means a person under circumstances where a controller has actual
knowledge of, or willfully disregards, that the person is under 13 years of age.
new text end
new text begin
(p) "Personal data" means any information that is linked or reasonably linkable to an
identified or identifiable natural person. Personal data does not include deidentified data or
publicly available information. For purposes of this paragraph, "publicly available
information" means information that (1) is lawfully made available from federal, state, or
local government records or widely distributed media, or (2) a controller has a reasonable
basis to believe has lawfully been made available to the general public.
new text end
new text begin
(q) "Process" or "processing" means any operation or set of operations that are performed
on personal data or on sets of personal data, whether or not by automated means, including
but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification
of personal data.
new text end
new text begin
(r) "Processor" means a natural or legal person who processes personal data on behalf
of a controller.
new text end
new text begin
(s) "Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects related to an identified or identifiable natural person's
economic situation, health, personal preferences, interests, reliability, behavior, location,
or movements.
new text end
new text begin
(t) "Pseudonymous data" means personal data that cannot be attributed to a specific
natural person without the use of additional information, provided that the additional
information is kept separately and is subject to appropriate technical and organizational
measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.
new text end
new text begin
(u) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other
valuable consideration by the controller to a third party. Sale does not include the following:
new text end
new text begin
(1) the disclosure of personal data to a processor who processes the personal data on
behalf of the controller;
new text end
new text begin
(2) the disclosure of personal data to a third party for purposes of providing a product
or service requested by the consumer;
new text end
new text begin
(3) the disclosure or transfer of personal data to an affiliate of the controller;
new text end
new text begin
(4) the disclosure of information that the consumer intentionally made available to the
general public via a channel of mass media and did not restrict to a specific audience;
new text end
new text begin
(5) the disclosure or transfer of personal data to a third party as an asset that is part of a
completed or proposed merger, acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the controller's assets; or
new text end
new text begin
(6) the exchange of personal data between the producer of a good or service and
authorized agents of the producer who sell and service the goods and services, to enable
the cooperative provisioning of goods and services by both the producer and the producer's
agents.
new text end
new text begin
(v) Sensitive data is a form of personal data. "Sensitive data" means:
new text end
new text begin
(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical
health condition or diagnosis, sexual orientation, or citizenship or immigration status;
new text end
new text begin
(2) the processing of biometric data or genetic information for the purpose of uniquely
identifying an individual;
new text end
new text begin
(3) the personal data of a known child; or
new text end
new text begin
(4) specific geolocation data.
new text end
new text begin
(w) "Specific geolocation data" means information derived from technology, including
but not limited to global positioning system level latitude and longitude coordinates or other
mechanisms, that directly identifies the geographic coordinates of a consumer or a device
linked to a consumer with an accuracy of more than three decimal degrees of latitude and
longitude or the equivalent in an alternative geographic coordinate system, or a street address
derived from the coordinates. Specific geolocation data does not include the content of
communications, the contents of databases containing street address information which are
accessible to the public as authorized by law, or any data generated by or connected to
advanced utility metering infrastructure systems or other equipment for use by a public
utility.
new text end
new text begin
(x) "Targeted advertising" means displaying advertisements to a consumer where the
advertisement is selected based on personal data obtained or inferred from the consumer's
activities over time and across nonaffiliated websites or online applications to predict the
consumer's preferences or interests. Targeted advertising does not include:
new text end
new text begin
(1) advertising based on activities within a controller's own websites or online
applications;
new text end
new text begin
(2) advertising based on the context of a consumer's current search query or visit to a
website or online application;
new text end
new text begin
(3) advertising to a consumer in response to the consumer's request for information or
feedback; or
new text end
new text begin
(4) processing personal data solely for measuring or reporting advertising performance,
reach, or frequency.
new text end
new text begin
(y) "Third party" means a natural or legal person, public authority, agency, or body other
than the consumer, controller, processor, or an affiliate of the processor or the controller.
new text end
new text begin
(z) "Trade secret" has the meaning given in section 325C.01, subdivision 5.
new text end
new text begin
(a) This chapter applies to legal entities that conduct business in
Minnesota or produce products or services that are targeted to residents of Minnesota, and
that satisfy one or more of the following thresholds:
new text end
new text begin
(1) during a calendar year, controls or processes personal data of 100,000 consumers or
more, excluding personal data controlled or processed solely for the purpose of completing
a payment transaction; or
new text end
new text begin
(2) derives over 25 percent of gross revenue from the sale of personal data and processes
or controls personal data of 25,000 consumers or more.
new text end
new text begin
(b) A controller or processor acting as a technology provider under section 13.32 shall
comply with this chapter and section 13.32, except that when the provisions of section 13.32
conflict with this chapter, section 13.32 prevails.
new text end
new text begin
(a) This chapter does not apply to the following entities, activities,
or types of information:
new text end
new text begin
(1) a government entity, as defined by section 13.02, subdivision 7a;
new text end
new text begin
(2) a federally recognized Indian tribe;
new text end
new text begin
(3) information that meets the definition of:
new text end
new text begin
(i) protected health information, as defined by and for purposes of the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;
new text end
new text begin
(ii) health records, as defined in section 144.291, subdivision 2;
new text end
new text begin
(iii) patient identifying information for purposes of Code of Federal Regulations, title
42, part 2, established pursuant to United States Code, title 42, section 290dd-2;
new text end
new text begin
(iv) identifiable private information for purposes of the federal policy for the protection
of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private
information that is otherwise information collected as part of human subjects research
pursuant to the good clinical practice guidelines issued by the International Council for
Harmonisation; the protection of human subjects under Code of Federal Regulations, title
21, parts 50 and 56; or personal data used or shared in research conducted in accordance
with one or more of the requirements set forth in this paragraph;
new text end
new text begin
(v) information and documents created for purposes of the federal Health Care Quality
Improvement Act of 1986, Public Law 99-660, and related regulations; or
new text end
new text begin
(vi) patient safety work product for purposes of Code of Federal Regulations, title 42,
part 3, established pursuant to United States Code, title 42, sections 299b-21 to 299b-26;
new text end
new text begin
(4) information that is derived from any of the health care-related information listed in
clause (3), but that has been deidentified in accordance with the requirements for
deidentification set forth in Code of Federal Regulations, title 45, part 164;
new text end
new text begin
(5) information originating from, and intermingled to be indistinguishable with, any of
the health care-related information listed in clause (3) that is maintained by:
new text end
new text begin
(i) a covered entity or business associate, as defined by the Health Insurance Portability
and Accountability Act of 1996, Public Law 104-191, and related regulations;
new text end
new text begin
(ii) a health care provider, as defined in section 144.291, subdivision 2; or
new text end
new text begin
(iii) a program or a qualified service organization, as defined by Code of Federal
Regulations, title 42, part 2, established pursuant to United States Code, title 42, section
290dd-2;
new text end
new text begin
(6) information that is:
new text end
new text begin
(i) maintained by an entity that meets the definition of health care provider under Code
of Federal Regulations, title 45, section 160.103, to the extent that the entity maintains the
information in the manner required of covered entities with respect to protected health
information for purposes of the Health Insurance Portability and Accountability Act of
1996, Public Law 104-191, and related regulations;
new text end
new text begin
(ii) included in a limited data set, as described under Code of Federal Regulations, title
45, part 164.514(e), to the extent that the information is used, disclosed, and maintained in
the manner specified by that part;
new text end
new text begin
(iii) maintained by, or maintained to comply with the rules or orders of, a self-regulatory
organization as defined by United States Code, title 15, section 78c(a)(26); or
new text end
new text begin
(iv) originated from, or intermingled with, information described in clause (9) and that
a licensed residential mortgage originator, as defined under section 58.02, subdivision 19,
or residential mortgage servicer, as defined under section 58.02, subdivision 20, collects,
processes, uses, or maintains in the same manner as required under the laws and regulations
specified in clause (9);
new text end
new text begin
(7) information used only for public health activities and purposes, as described under
Code of Federal Regulations, title 45, part 164.512;
new text end
new text begin
(8) an activity involving the collection, maintenance, disclosure, sale, communication,
or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or mode of living by a
consumer reporting agency, as defined in United States Code, title 15, section 1681a(f), by
a furnisher of information, as set forth in United States Code, title 15, section 1681s-2, who
provides information for use in a consumer report, as defined in United States Code, title
15, section 1681a(d), and by a user of a consumer report, as set forth in United States Code,
title 15, section 1681b, except that information is only excluded under this paragraph to the
extent that the activity involving the collection, maintenance, disclosure, sale, communication,
or use of the information by the agency, furnisher, or user is subject to regulation under the
federal Fair Credit Reporting Act, United States Code, title 15, sections 1681 to 1681x, and
the information is not collected, maintained, used, communicated, disclosed, or sold except
as authorized by the Fair Credit Reporting Act;
new text end
new text begin
(9) personal data collected, processed, sold, or disclosed pursuant to the federal
Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the
collection, processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(10) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's
Privacy Protection Act of 1994, United States Code, title 18, sections 2721 to 2725, if the
collection, processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(11) personal data regulated by the federal Family Educational Rights and Privacy Act,
United States Code, title 20, section 1232g, and implementing regulations;
new text end
new text begin
(12) personal data collected, processed, sold, or disclosed pursuant to the federal Farm
Credit Act of 1971, as amended, United States Code, title 12, sections 2001 to 2279cc, and
implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection,
processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(13) data collected or maintained:
new text end
new text begin
(i) in the course of an individual acting as a job applicant to or an employee, owner,
director, officer, medical staff member, or contractor of a business if the data is collected
and used solely within the context of the role;
new text end
new text begin
(ii) as the emergency contact information of an individual under item (i) if used solely
for emergency contact purposes; or
new text end
new text begin
(iii) that is necessary for the business to retain to administer benefits for another individual
relating to the individual under item (i) if used solely for the purposes of administering those
benefits;
new text end
new text begin
(14) personal data collected, processed, sold, or disclosed pursuant to the Minnesota
Insurance Fair Information Reporting Act in sections 72A.49 to 72A.505;
new text end
new text begin
(15) data collected, processed, sold, or disclosed as part of a payment-only credit, check,
or cash transaction where no data about consumers, as defined in section 325O.02, are
retained;
new text end
new text begin
(16) a state or federally chartered bank or credit union, or an affiliate or subsidiary that
is principally engaged in financial activities, as described in United States Code, title 12,
section 1843(k);
new text end
new text begin
(17) information that originates from, or is intermingled so as to be indistinguishable
from, information described in clause (8) and that a person licensed under chapter 56 collects,
processes, uses, or maintains in the same manner as is required under the laws and regulations
specified in clause (8);
new text end
new text begin
(18) an insurance company, as defined in section 60A.02, subdivision 4, an insurance
producer, as defined in section 60K.31, subdivision 6, a third-party administrator of
self-insurance, or an affiliate or subsidiary of any entity identified in this clause that is
principally engaged in financial activities, as described in United States Code, title 12,
section 1843(k), except that this clause does not apply to a person that, alone or in
combination with another person, establishes and maintains a self-insurance program that
does not otherwise engage in the business of entering into policies of insurance;
new text end
new text begin
(19) a small business, as defined by the United States Small Business Administration
under Code of Federal Regulations, title 13, part 121, except that a small business identified
in this clause is subject to section 325O.075;
new text end
new text begin
(20) a nonprofit organization that is established to detect and prevent fraudulent acts in
connection with insurance; and
new text end
new text begin
(21) an air carrier subject to the federal Airline Deregulation Act, Public Law 95-504,
only to the extent that an air carrier collects personal data related to prices, routes, or services
and only to the extent that the provisions of the Airline Deregulation Act preempt the
requirements of this chapter.
new text end
new text begin
(b) Controllers that are in compliance with the Children's Online Privacy Protection Act,
United States Code, title 15, sections 6501 to 6506, and implementing regulations, shall be
deemed compliant with any obligation to obtain parental consent under this chapter.
new text end
new text begin
(a) Controllers and processors are responsible for meeting the respective obligations
established under this chapter.
new text end
new text begin
(b) Processors are responsible under this chapter for adhering to the instructions of the
controller and assisting the controller to meet the controller's obligations under this chapter.
Assistance under this paragraph shall include the following:
new text end
new text begin
(1) taking into account the nature of the processing, the processor shall assist the controller
by appropriate technical and organizational measures, insofar as this is possible, for the
fulfillment of the controller's obligation to respond to consumer requests to exercise their
rights pursuant to section 325O.05; and
new text end
new text begin
(2) taking into account the nature of processing and the information available to the
processor, the processor shall assist the controller in meeting the controller's obligations in
relation to the security of processing the personal data and in relation to the notification of
a breach of the security of the system pursuant to section 325E.61, and shall provide
information to the controller necessary to enable the controller to conduct and document
any data privacy and protection assessments required by section 325O.08.
new text end
new text begin
(c) A contract between a controller and a processor shall govern the processor's data
processing procedures with respect to processing performed on behalf of the controller. The
contract shall be binding and clearly set forth instructions for processing data, the nature
and purpose of processing, the type of data subject to processing, the duration of processing,
and the rights and obligations of both parties. The contract shall also require that the
processor:
new text end
new text begin
(1) ensure that each person processing the personal data is subject to a duty of
confidentiality with respect to the data; and
new text end
new text begin
(2) engage a subcontractor only (i) after providing the controller with an opportunity to
object, and (ii) pursuant to a written contract in accordance with paragraph (e) that requires
the subcontractor to meet the obligations of the processor with respect to the personal data.
new text end
new text begin
(d) Taking into account the context of processing, the controller and the processor shall
implement appropriate technical and organizational measures to ensure a level of security
appropriate to the risk and establish a clear allocation of the responsibilities between the
controller and the processor to implement the technical and organizational measures.
new text end
new text begin
(e) Processing by a processor shall be governed by a contract between the controller and
the processor that is binding on both parties and that sets out the processing instructions to
which the processor is bound, including the nature and purpose of the processing, the type
of personal data subject to the processing, the duration of the processing, and the obligations
and rights of both parties. The contract shall include the requirements imposed by this
paragraph, paragraphs (c) and (d), as well as the following requirements:
new text end
new text begin
(1) at the choice of the controller, the processor shall delete or return all personal data
to the controller as requested at the end of the provision of services, unless retention of the
personal data is required by law;
new text end
new text begin
(2) upon a reasonable request from the controller, the processor shall make available to
the controller all information necessary to demonstrate compliance with the obligations in
this chapter; and
new text end
new text begin
(3) the processor shall allow for, and contribute to, reasonable assessments and inspections
by the controller or the controller's designated assessor. Alternatively, the processor may
arrange for a qualified and independent assessor to conduct, at least annually and at the
processor's expense, an assessment of the processor's policies and technical and organizational
measures in support of the obligations under this chapter. The assessor must use an
appropriate and accepted control standard or framework and assessment procedure for
assessments as applicable, and shall provide a report of an assessment to the controller upon
request.
new text end
new text begin
(f) In no event shall any contract relieve a controller or a processor from the liabilities
imposed on a controller or processor by virtue of the controller's or processor's roles in the
processing relationship under this chapter.
new text end
new text begin
(g) Determining whether a person is acting as a controller or processor with respect to
a specific processing of data is a fact-based determination that depends upon the context in
which personal data are to be processed. A person that is not limited in the person's processing
of personal data pursuant to a controller's instructions, or that fails to adhere to a controller's
instructions, is a controller and not a processor with respect to a specific processing of data.
A processor that continues to adhere to a controller's instructions with respect to a specific
processing of personal data remains a processor. If a processor begins, alone or jointly with
others, determining the purposes and means of the processing of personal data, the processor
is a controller with respect to the processing.
new text end
new text begin
(a) Except as provided in this chapter, a
controller must comply with a request to exercise the consumer rights provided in this
subdivision.
new text end
new text begin
(b) A consumer has the right to confirm whether or not a controller is processing personal
data concerning the consumer and access the categories of personal data the controller is
processing.
new text end
new text begin
(c) A consumer has the right to correct inaccurate personal data concerning the consumer,
taking into account the nature of the personal data and the purposes of the processing of the
personal data.
new text end
new text begin
(d) A consumer has the right to delete personal data concerning the consumer.
new text end
new text begin
(e) A consumer has the right to obtain personal data concerning the consumer, which
the consumer previously provided to the controller, in a portable and, to the extent technically
feasible, readily usable format that allows the consumer to transmit the data to another
controller without hindrance, where the processing is carried out by automated means.
new text end
new text begin
(f) A consumer has the right to opt out of the processing of personal data concerning
the consumer for purposes of targeted advertising, the sale of personal data, or profiling in
furtherance of automated decisions that produce legal effects concerning a consumer or
similarly significant effects concerning a consumer.
new text end
new text begin
(g) If a consumer's personal data is profiled in furtherance of decisions that produce
legal effects concerning a consumer or similarly significant effects concerning a consumer,
the consumer has the right to question the result of the profiling, to be informed of the reason
that the profiling resulted in the decision, and, if feasible, to be informed of what actions
the consumer might have taken to secure a different decision and the actions that the
consumer might take to secure a different decision in the future. The consumer has the right
to review the consumer's personal data used in the profiling. If the decision is determined
to have been based upon inaccurate personal data, taking into account the nature of the
personal data and the purposes of the processing of the personal data, the consumer has the
right to have the data corrected and the profiling decision reevaluated based upon the
corrected data.
new text end
new text begin
(h) A consumer has a right to obtain a list of the specific third parties to which the
controller has disclosed the consumer's personal data. If the controller does not maintain
the information in a format specific to the consumer, a list of specific third parties to whom
the controller has disclosed any consumers' personal data may be provided instead.
new text end
new text begin
(a) A consumer may exercise the rights set forth
in this section by submitting a request, at any time, to a controller specifying which rights
the consumer wishes to exercise.
new text end
new text begin
(b) In the case of processing personal data concerning a known child, the parent or legal
guardian of the known child may exercise the rights of this chapter on the child's behalf.
new text end
new text begin
(c) In the case of processing personal data concerning a consumer legally subject to
guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the
conservator of the consumer may exercise the rights of this chapter on the consumer's behalf.
new text end
new text begin
(d) A consumer may designate another person as the consumer's authorized agent to
exercise the consumer's right to opt out of the processing of the consumer's personal data
for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the
consumer's behalf. A consumer may designate an authorized agent by way of, among other
things, a technology, including but not limited to an Internet link or a browser setting,
browser extension, or global device setting, indicating the consumer's intent to opt out of
the processing. A controller shall comply with an opt-out request received from an authorized
agent if the controller is able to verify, with commercially reasonable effort, the identity of
the consumer and the authorized agent's authority to act on the consumer's behalf.
new text end
new text begin
(a) A controller must allow a consumer to opt
out of any processing of the consumer's personal data for the purposes of targeted advertising,
or any sale of the consumer's personal data through an opt-out preference signal sent, with
the consumer's consent, by a platform, technology, or mechanism to the controller indicating
the consumer's intent to opt out of the processing or sale. The platform, technology, or
mechanism must:
new text end
new text begin
(1) not unfairly disadvantage another controller;
new text end
new text begin
(2) not make use of a default setting, but require the consumer to make an affirmative,
freely given, and unambiguous choice to opt out of the processing of the consumer's personal
data;
new text end
new text begin
(3) be consumer-friendly and easy to use by the average consumer;
new text end
new text begin
(4) be as consistent as possible with any other similar platform, technology, or mechanism
required by any federal or state law or regulation; and
new text end
new text begin
(5) enable the controller to accurately determine whether the consumer is a Minnesota
resident and whether the consumer has made a legitimate request to opt out of any sale of
the consumer's personal data or targeted advertising. For purposes of this paragraph, the
use of an Internet protocol address to estimate the consumer's location is sufficient to
determine the consumer's residence.
new text end
new text begin
(b) If a consumer's opt-out request is exercised through the platform, technology, or
mechanism required under paragraph (a), and the request conflicts with the consumer's
existing controller-specific privacy setting or voluntary participation in a controller's bona
fide loyalty, rewards, premium features, discounts, or club card program, the controller
must comply with the consumer's opt-out preference signal but may also notify the consumer
of the conflict and provide the consumer a choice to confirm the controller-specific privacy
setting or participation in the controller's program.
new text end
new text begin
(c) The platform, technology, or mechanism required under paragraph (a) is subject to
the requirements of subdivision 4.
new text end
new text begin
(d) A controller that recognizes opt-out preference signals that have been approved by
other state laws or regulations is in compliance with this subdivision.
new text end
new text begin
(a) Except as provided in this
chapter, a controller must comply with a request to exercise the rights pursuant to subdivision
1.
new text end
new text begin
(b) A controller must provide one or more secure and reliable means for consumers to
submit a request to exercise the consumer's rights under this section. The means made
available must take into account the ways in which consumers interact with the controller
and the need for secure and reliable communication of the requests.
new text end
new text begin
(c) A controller may not require a consumer to create a new account in order to exercise
a right, but a controller may require a consumer to use an existing account to exercise the
consumer's rights under this section.
new text end
new text begin
(d) A controller must comply with a request to exercise the right in subdivision 1,
paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request.
new text end
new text begin
(e) A controller must inform a consumer of any action taken on a request under
subdivision 1 without undue delay and in any event within 45 days of receipt of the request.
That period may be extended once by 45 additional days where reasonably necessary, taking
into account the complexity and number of the requests. The controller must inform the
consumer of any extension within 45 days of receipt of the request, together with the reasons
for the delay.
new text end
new text begin
(f) If a controller does not take action on a consumer's request, the controller must inform
the consumer without undue delay and at the latest within 45 days of receipt of the request
of the reasons for not taking action and instructions for how to appeal the decision with the
controller as described in subdivision 5.
new text end
new text begin
(g) Information provided under this section must be provided by the controller free of
charge up to twice annually to the consumer. Where requests from a consumer are manifestly
unfounded or excessive, in particular because of the repetitive character of the requests, the
controller may either charge a reasonable fee to cover the administrative costs of complying
with the request, or refuse to act on the request. The controller bears the burden of
demonstrating the manifestly unfounded or excessive character of the request.
new text end
new text begin
(h) A controller is not required to comply with a request to exercise any of the rights
under subdivision 1, paragraphs (b) to (h), if the controller is unable to authenticate the
request using commercially reasonable efforts. In such cases, the controller may request
the provision of additional information reasonably necessary to authenticate the request. A
controller is not required to authenticate an opt-out request, but a controller may deny an
opt-out request if the controller has a good faith, reasonable, and documented belief that
the request is fraudulent. If a controller denies an opt-out request because the controller
believes a request is fraudulent, the controller must notify the person who made the request
that the request was denied due to the controller's belief that the request was fraudulent and
state the controller's basis for that belief.
new text end
new text begin
(i) In response to a consumer request under subdivision 1, a controller must not disclose
the following information about a consumer, but must instead inform the consumer with
sufficient particularity that the controller has collected that type of information:
new text end
new text begin
(1) Social Security number;
new text end
new text begin
(2) driver's license number or other government-issued identification number;
new text end
new text begin
(3) financial account number;
new text end
new text begin
(4) health insurance account number or medical identification number;
new text end
new text begin
(5) account password, security questions, or answers; or
new text end
new text begin
(6) biometric data.
new text end
new text begin
(j) In response to a consumer request under subdivision 1, a controller is not required
to reveal any trade secret.
new text end
new text begin
(k) A controller that has obtained personal data about a consumer from a source other
than the consumer may comply with a consumer's request to delete the consumer's personal
data pursuant to subdivision 1, paragraph (d), by either:
new text end
new text begin
(1) retaining a record of the deletion request, retaining the minimum data necessary for
the purpose of ensuring the consumer's personal data remains deleted from the business's
records, and not using the retained data for any other purpose pursuant to the provisions of
this chapter; or
new text end
new text begin
(2) opting the consumer out of the processing of personal data for any purpose except
for the purposes exempted pursuant to the provisions of this chapter.
new text end
new text begin
(a) A controller must establish an internal process
whereby a consumer may appeal a refusal to take action on a request to exercise any of the
rights under subdivision 1 within a reasonable period of time after the consumer's receipt
of the notice sent by the controller under subdivision 4, paragraph (f).
new text end
new text begin
(b) The appeal process must be conspicuously available. The process must include the
ease of use provisions in subdivision 3 applicable to submitting requests.
new text end
new text begin
(c) Within 45 days of receipt of an appeal, a controller must inform the consumer of any
action taken or not taken in response to the appeal, along with a written explanation of the
reasons in support thereof. That period may be extended by 60 additional days where
reasonably necessary, taking into account the complexity and number of the requests serving
as the basis for the appeal. The controller must inform the consumer of any extension within
45 days of receipt of the appeal, together with the reasons for the delay.
new text end
new text begin
(d) When informing a consumer of any action taken or not taken in response to an appeal
pursuant to paragraph (c), the controller must provide a written explanation of the reasons
for the controller's decision and clearly and prominently provide the consumer with
information about how to file a complaint with the Office of the Attorney General. The
controller must maintain records of all appeals and the controller's responses for at least 24
months and shall, upon written request by the attorney general as part of an investigation,
compile and provide a copy of the records to the attorney general.
new text end
new text begin
(a) This chapter does not require a controller or processor to do any of the following
solely for purposes of complying with this chapter:
new text end
new text begin
(1) reidentify deidentified data;
new text end
new text begin
(2) maintain data in identifiable form, or collect, obtain, retain, or access any data or
technology, in order to be capable of associating an authenticated consumer request with
personal data; or
new text end
new text begin
(3) comply with an authenticated consumer request to access, correct, delete, or port
personal data pursuant to section 325O.05, subdivision 1, if all of the following are true:
new text end
new text begin
(i) the controller is not reasonably capable of associating the request with the personal
data, or it would be unreasonably burdensome for the controller to associate the request
with the personal data;
new text end
new text begin
(ii) the controller does not use the personal data to recognize or respond to the specific
consumer who is the subject of the personal data, or associate the personal data with other
personal data about the same specific consumer; and
new text end
new text begin
(iii) the controller does not sell the personal data to any third party or otherwise
voluntarily disclose the personal data to any third party other than a processor, except as
otherwise permitted in this section.
new text end
new text begin
(b) The rights contained in section 325O.05, subdivision 1, paragraphs (b) to (h), do not
apply to pseudonymous data in cases where the controller is able to demonstrate any
information necessary to identify the consumer is kept separately and is subject to effective
technical and organizational controls that prevent the controller from accessing the
information.
new text end
new text begin
(c) A controller that uses pseudonymous data or deidentified data must exercise reasonable
oversight to monitor compliance with any contractual commitments to which the
pseudonymous data or deidentified data are subject, and must take appropriate steps to
address any breaches of contractual commitments.
new text end
new text begin
(d) A processor or third party must not attempt to identify the subjects of deidentified
or pseudonymous data without the express authority of the controller that caused the data
to be deidentified or pseudonymized.
new text end
new text begin
(e) A controller, processor, or third party must not attempt to identify the subjects of
data that has been collected with only pseudonymous identifiers.
new text end
new text begin
(a) Controllers must provide consumers with
a reasonably accessible, clear, and meaningful privacy notice that includes:
new text end
new text begin
(1) the categories of personal data processed by the controller;
new text end
new text begin
(2) the purposes for which the categories of personal data are processed;
new text end
new text begin
(3) an explanation of the rights contained in section 325O.05 and how and where
consumers may exercise those rights, including how a consumer may appeal a controller's
action with regard to the consumer's request;
new text end
new text begin
(4) the categories of personal data that the controller sells to or shares with third parties,
if any;
new text end
new text begin
(5) the categories of third parties, if any, with whom the controller sells or shares personal
data;
new text end
new text begin
(6) the controller's contact information, including an active email address or other online
mechanism that the consumer may use to contact the controller;
new text end
new text begin
(7) a description of the controller's retention policies for personal data; and
new text end
new text begin
(8) the date the privacy notice was last updated.
new text end
new text begin
(b) If a controller sells personal data to third parties, processes personal data for targeted
advertising, or engages in profiling in furtherance of decisions that produce legal effects
concerning a consumer or similarly significant effects concerning a consumer, the controller
must disclose the processing in the privacy notice and provide access to a clear and
conspicuous method outside the privacy notice for a consumer to opt out of the sale,
processing, or profiling in furtherance of decisions that produce legal effects concerning a
consumer or similarly significant effects concerning a consumer. This method may include
but is not limited to an Internet hyperlink clearly labeled "Your Opt-Out Rights" or "Your
Privacy Rights" that directly effectuates the opt-out request or takes consumers to a web
page where the consumer can make the opt-out request.
new text end
new text begin
(c) The privacy notice must be made available to the public in each language in which
the controller provides a product or service that is subject to the privacy notice or carries
out activities related to the product or service.
new text end
new text begin
(d) The controller must provide the privacy notice in a manner that is reasonably
accessible to and usable by individuals with disabilities.
new text end
new text begin
(e) Whenever a controller makes a material change to the controller's privacy notice or
practices, the controller must notify consumers affected by the material change with respect
to any prospectively collected personal data and provide a reasonable opportunity for
consumers to withdraw consent to any further materially different collection, processing,
or transfer of previously collected personal data under the changed policy. The controller
shall take all reasonable electronic measures to provide notification regarding material
changes to affected consumers, taking into account available technology and the nature of
the relationship.
new text end
new text begin
(f) A controller is not required to provide a separate Minnesota-specific privacy notice
or section of a privacy notice if the controller's general privacy notice contains all the
information required by this section.
new text end
new text begin
(g) The privacy notice must be posted online through a conspicuous hyperlink using the
word "privacy" on the controller's website home page or on a mobile application's app store
page or download page. A controller that maintains an application on a mobile or other
device shall also include a hyperlink to the privacy notice in the application's settings menu
or in a similarly conspicuous and accessible location. A controller that does not operate a
website shall make the privacy notice conspicuously available to consumers through a
medium regularly used by the controller to interact with consumers, including but not limited
to mail.
new text end
new text begin
(a) A controller must limit the collection of personal data to what
is adequate, relevant, and reasonably necessary in relation to the purposes for which the
data are processed, which must be disclosed to the consumer.
new text end
new text begin
(b) Except as provided in this chapter, a controller may not process personal data for
purposes that are not reasonably necessary to, or compatible with, the purposes for which
the personal data are processed, as disclosed to the consumer, unless the controller obtains
the consumer's consent.
new text end
new text begin
(c) A controller shall establish, implement, and maintain reasonable administrative,
technical, and physical data security practices to protect the confidentiality, integrity, and
accessibility of personal data, including the maintenance of an inventory of the data that
must be managed to exercise these responsibilities. The data security practices shall be
appropriate to the volume and nature of the personal data at issue.
new text end
new text begin
(d) Except as otherwise provided in this act, a controller may not process sensitive data
concerning a consumer without obtaining the consumer's consent, or, in the case of the
processing of personal data concerning a known child, without obtaining consent from the
child's parent or lawful guardian, in accordance with the requirement of the Children's
Online Privacy Protection Act, United States Code, title 15, sections 6501 to 6506, and its
implementing regulations, rules, and exemptions.
new text end
new text begin
(e) A controller shall provide an effective mechanism for a consumer, or, in the case of
the processing of personal data concerning a known child, the child's parent or lawful
guardian, to revoke previously given consent under this subdivision. The mechanism provided
shall be at least as easy as the mechanism by which the consent was previously given. Upon
revocation of consent, a controller shall cease to process the applicable data as soon as
practicable, but not later than 15 days after the receipt of such request.
new text end
new text begin
(f) A controller may not process the personal data of a consumer for purposes of targeted
advertising, or sell the consumer's personal data, without the consumer's consent, under
circumstances where the controller knows that the consumer is between the ages of 13 and
16.
new text end
new text begin
(g) A controller may not retain personal data that is no longer relevant and reasonably
necessary in relation to the purposes for which the data were collected and processed, unless
retention of the data is otherwise required by law or permitted under section 325O.09.
new text end
new text begin
(a) A controller shall not process personal data on the
basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity,
religion, national origin, sex, gender, gender identity, sexual orientation, familial status,
lawful source of income, or disability in a manner that unlawfully discriminates against the
consumer or class of consumers with respect to the offering or provision of: housing,
employment, credit, or education; or the goods, services, facilities, privileges, advantages,
or accommodations of any place of public accommodation.
new text end
new text begin
(b) A controller may not discriminate against a consumer for exercising any of the rights
contained in this chapter, including denying goods or services to the consumer, charging
different prices or rates for goods or services, and providing a different level of quality of
goods and services to the consumer. This subdivision does not: (1) require a controller to
provide a good or service that requires the consumer's personal data that the controller does
not collect or maintain; or (2) prohibit a controller from offering a different price, rate, level,
quality, or selection of goods or services to a consumer, including offering goods or services
for no fee, if the offering is in connection with a consumer's voluntary participation in a
bona fide loyalty, rewards, premium features, discounts, or club card program.
new text end
new text begin
(c) A controller may not sell personal data to a third-party controller as part of a bona
fide loyalty, rewards, premium features, discounts, or club card program under paragraph
(b) unless:
new text end
new text begin
(1) the sale is reasonably necessary to enable the third party to provide a benefit to which
the consumer is entitled;
new text end
new text begin
(2) the sale of personal data to third parties is clearly disclosed in the terms of the
program; and
new text end
new text begin
(3) the third party uses the personal data only for purposes of facilitating a benefit to
which the consumer is entitled and does not retain or otherwise use or disclose the personal
data for any other purpose.
new text end
new text begin
Any provision of a contract or agreement of
any kind that purports to waive or limit in any way a consumer's rights under this chapter
is contrary to public policy and is void and unenforceable.
new text end
new text begin
(a) A small business, as defined by the United States Small Business Administration
under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota
or produces products or services that are targeted to residents of Minnesota, must not sell
a consumer's sensitive data without the consumer's prior consent.
new text end
new text begin
(b) Penalties and attorney general enforcement procedures under section 325O.10 apply
to a small business that violates this section.
new text end
new text begin
(a) A controller must document and maintain a description of the policies and procedures
the controller has adopted to comply with this chapter. The description must include, where
applicable:
new text end
new text begin
(1) the name and contact information for the controller's chief privacy officer or other
individual with primary responsibility for directing the policies and procedures implemented
to comply with the provisions of this chapter; and
new text end
new text begin
(2) a description of the controller's data privacy policies and procedures which reflect
the requirements in section 325O.07, and any policies and procedures designed to:
new text end
new text begin
(i) reflect the requirements of this chapter in the design of the controller's systems;
new text end
new text begin
(ii) identify and provide personal data to a consumer as required by this chapter;
new text end
new text begin
(iii) establish, implement, and maintain reasonable administrative, technical, and physical
data security practices to protect the confidentiality, integrity, and accessibility of personal
data, including the maintenance of an inventory of the data that must be managed to exercise
the responsibilities under this item;
new text end
new text begin
(iv) limit the collection of personal data to what is adequate, relevant, and reasonably
necessary in relation to the purposes for which the data are processed;
new text end
new text begin
(v) prevent the retention of personal data that is no longer relevant and reasonably
necessary in relation to the purposes for which the data were collected and processed, unless
retention of the data is otherwise required by law or permitted under section 325O.09; and
new text end
new text begin
(vi) identify and remediate violations of this chapter.
new text end
new text begin
(b) A controller must conduct and document a data privacy and protection assessment
for each of the following processing activities involving personal data:
new text end
new text begin
(1) the processing of personal data for purposes of targeted advertising;
new text end
new text begin
(2) the sale of personal data;
new text end
new text begin
(3) the processing of sensitive data;
new text end
new text begin
(4) any processing activities involving personal data that present a heightened risk of
harm to consumers; and
new text end
new text begin
(5) the processing of personal data for purposes of profiling, where the profiling presents
a reasonably foreseeable risk of:
new text end
new text begin
(i) unfair or deceptive treatment of, or disparate impact on, consumers;
new text end
new text begin
(ii) financial, physical, or reputational injury to consumers;
new text end
new text begin
(iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or
concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
new text end
new text begin
(iv) other substantial injury to consumers.
new text end
new text begin
(c) A data privacy and protection assessment must take into account the type of personal
data to be processed by the controller, including the extent to which the personal data are
sensitive data, and the context in which the personal data are to be processed.
new text end
new text begin
(d) A data privacy and protection assessment must identify and weigh the benefits that
may flow directly and indirectly from the processing to the controller, consumer, other
stakeholders, and the public against the potential risks to the rights of the consumer associated
with the processing, as mitigated by safeguards that can be employed by the controller to
reduce the potential risks. The use of deidentified data and the reasonable expectations of
consumers, as well as the context of the processing and the relationship between the controller
and the consumer whose personal data will be processed, must be factored into this
assessment by the controller.
new text end
new text begin
(e) A data privacy and protection assessment must include the description of policies
and procedures required by paragraph (a).
new text end
new text begin
(f) As part of a civil investigative demand, the attorney general may request, in writing,
that a controller disclose any data privacy and protection assessment that is relevant to an
investigation conducted by the attorney general. The controller must make a data privacy
and protection assessment available to the attorney general upon a request made under this
paragraph. The attorney general may evaluate the data privacy and protection assessments
for compliance with this chapter. Data privacy and protection assessments are classified as
nonpublic data, as defined by section 13.02, subdivision 9. The disclosure of a data privacy
and protection assessment pursuant to a request from the attorney general under this
paragraph does not constitute a waiver of the attorney-client privilege or work product
protection with respect to the assessment and any information contained in the assessment.
new text end
new text begin
(g) Data privacy and protection assessments or risk assessments conducted by a controller
for the purpose of compliance with other laws or regulations may qualify under this section
if the assessments have a similar scope and effect.
new text end
new text begin
(h) A single data protection assessment may address multiple sets of comparable
processing operations that include similar activities.
new text end
new text begin
(a) The obligations imposed on controllers or processors under this chapter do not restrict
a controller's or a processor's ability to:
new text end
new text begin
(1) comply with federal, state, or local laws, rules, or regulations, including but not
limited to data retention requirements in state or federal law notwithstanding a consumer's
request to delete personal data;
new text end
new text begin
(2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
summons by federal, state, local, or other governmental authorities;
new text end
new text begin
(3) cooperate with law enforcement agencies concerning conduct or activity that the
controller or processor reasonably and in good faith believes may violate federal, state, or
local laws, rules, or regulations;
new text end
new text begin
(4) investigate, establish, exercise, prepare for, or defend legal claims;
new text end
new text begin
(5) provide a product or service specifically requested by a consumer; perform a contract
to which the consumer is a party, including fulfilling the terms of a written warranty; or
take steps at the request of the consumer prior to entering into a contract;
new text end
new text begin
(6) take immediate steps to protect an interest that is essential for the life or physical
safety of the consumer or of another natural person, and where the processing cannot be
manifestly based on another legal basis;
new text end
new text begin
(7) prevent, detect, protect against, or respond to security incidents, identity theft, fraud,
harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity
or security of systems; or investigate, report, or prosecute those responsible for any such
action;
new text end
new text begin
(8) assist another controller, processor, or third party with any of the obligations under
this paragraph;
new text end
new text begin
(9) engage in public or peer-reviewed scientific, historical, or statistical research in the
public interest that adheres to all other applicable ethics and privacy laws and is approved,
monitored, and governed by an institutional review board, human subjects research ethics
review board, or a similar independent oversight entity that has determined:
new text end
new text begin
(i) the research is likely to provide substantial benefits that do not exclusively accrue to
the controller;
new text end
new text begin
(ii) the expected benefits of the research outweigh the privacy risks; and
new text end
new text begin
(iii) the controller has implemented reasonable safeguards to mitigate privacy risks
associated with research, including any risks associated with reidentification; or
new text end
new text begin
(10) process personal data for the benefit of the public in the areas of public health,
community health, or population health, but only to the extent that the processing is:
new text end
new text begin
(i) subject to suitable and specific measures to safeguard the rights of the consumer
whose personal data is being processed; and
new text end
new text begin
(ii) under the responsibility of a professional individual who is subject to confidentiality
obligations under federal, state, or local law.
new text end
new text begin
(b) The obligations imposed on controllers or processors under this chapter do not restrict
a controller's or processor's ability to collect, use, or retain data to:
new text end
new text begin
(1) effectuate a product recall or identify and repair technical errors that impair existing
or intended functionality;
new text end
new text begin
(2) perform internal operations that are reasonably aligned with the expectations of the
consumer based on the consumer's existing relationship with the controller, or are otherwise
compatible with processing in furtherance of the provision of a product or service specifically
requested by a consumer or the performance of a contract to which the consumer is a party;
or
new text end
new text begin
(3) conduct internal research to develop, improve, or repair products, services, or
technology.
new text end
new text begin
(c) The obligations imposed on controllers or processors under this chapter do not apply
where compliance by the controller or processor with this chapter would violate an
evidentiary privilege under Minnesota law and do not prevent a controller or processor from
providing personal data concerning a consumer to a person covered by an evidentiary
privilege under Minnesota law as part of a privileged communication.
new text end
new text begin
(d) A controller or processor that discloses personal data to a third-party controller or
processor in compliance with the requirements of this chapter is not in violation of this
chapter if the recipient processes the personal data in violation of this chapter, provided that
at the time of disclosing the personal data, the disclosing controller or processor did not
have actual knowledge that the recipient intended to commit a violation. A third-party
controller or processor receiving personal data from a controller or processor in compliance
with the requirements of this chapter is not in violation of this chapter for the obligations
of the controller or processor from which the third-party controller or processor receives
the personal data.
new text end
new text begin
(e) Obligations imposed on controllers and processors under this chapter shall not:
new text end
new text begin
(1) adversely affect the rights or freedoms of any persons, including exercising the right
of free speech pursuant to the First Amendment of the United States Constitution; or
new text end
new text begin
(2) apply to the processing of personal data by a natural person in the course of a purely
personal or household activity.
new text end
new text begin
(f) Personal data that are processed by a controller pursuant to this section may be
processed solely to the extent that the processing is:
new text end
new text begin
(1) necessary, reasonable, and proportionate to the purposes listed in this section;
new text end
new text begin
(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose
or purposes listed in this section; and
new text end
new text begin
(3) insofar as possible, taking into account the nature and purpose of processing the
personal data, subjected to reasonable administrative, technical, and physical measures to
protect the confidentiality, integrity, and accessibility of the personal data, and to reduce
reasonably foreseeable risks of harm to consumers.
new text end
new text begin
(g) If a controller processes personal data pursuant to an exemption in this section, the
controller bears the burden of demonstrating that the processing qualifies for the exemption
and complies with the requirements in paragraph (f).
new text end
new text begin
(h) Processing personal data solely for the purposes expressly identified in paragraph
(a), clauses (1) to (7), does not, by itself, make an entity a controller with respect to the
processing.
new text end
new text begin
(a) In the event that a controller or processor violates this chapter, the attorney general,
prior to filing an enforcement action under paragraph (b), must provide the controller or
processor with a warning letter identifying the specific provisions of this chapter the attorney
general alleges have been or are being violated. If, after 30 days of issuance of the warning
letter, the attorney general believes the controller or processor has failed to cure any alleged
violation, the attorney general may bring an enforcement action under paragraph (b). This
paragraph expires January 31, 2026.
new text end
new text begin
(b) The attorney general may bring a civil action against a controller or processor to
enforce a provision of this chapter in accordance with section 8.31. If the state prevails in
an action to enforce this chapter, the state may, in addition to penalties provided by paragraph
(c) or other remedies provided by law, be allowed an amount determined by the court to be
the reasonable value of all or part of the state's litigation expenses incurred.
new text end
new text begin
(c) Any controller or processor that violates this chapter is subject to an injunction and
liable for a civil penalty of not more than $7,500 for each violation.
new text end
new text begin
(d) Nothing in this chapter establishes a private right of action, including under section
8.31, subdivision 3a, for a violation of this chapter or any other law.
new text end
new text begin
(a) This chapter supersedes and preempts laws, ordinances, regulations, or the equivalent
adopted by any local government regarding the processing of personal data by controllers
or processors.
new text end
new text begin
(b) If any provision of this chapter or the chapter's application to any person or
circumstance is held invalid, the remainder of the chapter or the application of the provision
to other persons or circumstances is not affected.
new text end
new text begin
This article is effective July 31, 2025, except that postsecondary institutions regulated
by the Office of Higher Education are not required to comply with this article until July 31,
2029.
new text end