Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

SF 2912

as introduced - 91st Legislature (2019 - 2020) Posted on 05/19/2019 02:16pm

KEY: stricken = removed, old language.
underscored = added, new language.
Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 1.23 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31 6.32 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32 8.33 8.34 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30 9.31 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21 11.22 11.23 11.24 11.25 11.26 11.27 11.28 11.29 11.30 11.31 12.1 12.2
12.3

A bill for an act
relating to data privacy; requiring controllers to provide, correct, or restrict
processing of personal data upon a consumer's request; requiring controllers to
provide a privacy notice and document risk assessment; providing for liability and
civil penalties; providing the attorney general with enforcement authority; proposing
coding for new law in Minnesota Statutes, chapter 325E.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin [325E.75] CONSUMER RIGHTS TO PERSONAL DATA PROCESSING.
new text end

new text begin Subdivision 1. new text end

new text begin Definitions. new text end

new text begin (a) The terms used in this section have the meanings given
them.
new text end

new text begin (b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with another legal entity.
new text end

new text begin (c) "Business purpose" means the processing of personal data for the controller's or its
processor's operational purposes or other notified purposes, provided the processing of
personal data is reasonably necessary and proportionate (i) to achieve the operational
purposes for which the personal data was collected or processed, or (ii) for another
operational purpose that is compatible with the context in which the personal data was
collected. Business purpose includes:
new text end

new text begin (1) auditing related to a current interaction with the consumer and concurrent transactions,
including but not limited to counting ad impressions, verifying positioning and quality of
ad impressions, and auditing compliance with this specification and other standards;
new text end

new text begin (2) detecting security incidents; protecting against malicious, deceptive, fraudulent, or
illegal activity; and prosecuting those responsible for the activity;
new text end

new text begin (3) identifying and repairing errors that impair existing or intended functionality;
new text end

new text begin (4) short-term, transient use, provided the personal data is not disclosed to another third
party and is not used to build a profile about a consumer or otherwise alter an individual
consumer's experience outside the current interaction, including but not limited to the
contextual customization of ads shown as part of the same interaction;
new text end

new text begin (5) maintaining or servicing accounts, providing customer service, processing or fulfilling
orders and transactions, verifying customer information, processing payments, or providing
financing;
new text end

new text begin (6) undertaking internal research for technological development; or
new text end

new text begin (7) authenticating a consumer's identity.
new text end

new text begin (d) "Consent" means a clear, affirmative act, including a written statement, that establishes
a specific, informed, and unambiguous indication the consumer agrees to personal data
processing relating to the consumer.
new text end

new text begin (e) "Consumer" means a natural person who is a Minnesota resident. Consumer does
not include a business's employee or contractor that is acting in the role of an employee or
contractor.
new text end

new text begin (f) "Controller" means the natural or legal person that alone or jointly with others
determines the purposes and means to process personal data.
new text end

new text begin (g) "Data broker" means a business or unit of business that knowingly collects and sells
or licenses to third parties the brokered personal information of a consumer the business
does not have a direct relationship with.
new text end

new text begin (h) "Deidentified data" means:
new text end

new text begin (1) data that cannot be linked to a known natural person without additional information
kept separately; or
new text end

new text begin (2) data that:
new text end

new text begin (i) is modified to a degree that the risk of reidentification is small;
new text end

new text begin (ii) is subject to a controller's public commitment to not attempt to reidentify the data;
and
new text end

new text begin (iii) one or more enforceable controls to prevent reidentification, including legal,
administrative, technical, or contractual controls, have been applied to.
new text end

new text begin (i) "Developer" means a person who creates or modifies the instructions or programs
that instruct a computer or device to perform tasks.
new text end

new text begin (j) "Identified person" or "identifiable person" means a natural person who can be directly
or indirectly identified by reference to an identifier.
new text end

new text begin (k) "Personal data" means any information relating to an identified or identifiable person.
Personal data does not include deidentified data.
new text end

new text begin (l) "Process" or "processing" means any operation or set of operations performed on
personal data or on sets of personal data, whether or not by automated means. Process
includes collecting, recording, organizing, structuring, storing, adapting or altering, retrieving,
consulting, using, disclosing by transmission, disseminating or otherwise making available,
aligning or combining, restricting, deleting, or destructing personal data or sets of personal
data.
new text end

new text begin (m) "Processor" means a natural or legal person who processes personal data on behalf
of the controller.
new text end

new text begin (n) "Profiling" means any automated processing of personal data that consists of using
personal data to evaluate certain personal aspects relating to a natural person, including
analyzing or predicting aspects concerning the natural person's economic situation, health,
personal preferences, interests, reliability, behavior, location, or movements.
new text end

new text begin (o) "Restriction of processing" means marking stored personal data to limit the processing
of the personal data in the future.
new text end

new text begin (p) "Sale" means the exchange of personal data for monetary consideration by the
controller to a third party to license or sell personal data at the third party's discretion to
additional third parties. Sale does not include the following:
new text end

new text begin (1) the disclosure of personal data to a processor who processes the personal data on
behalf of the controller; or
new text end

new text begin (2) the disclosure of personal data to a third party with whom the consumer has a direct
relationship to provide a product or service requested by the consumer or otherwise in a
manner that is consistent with a consumer's reasonable expectations considering the context
in which the consumer provided the personal data to the controller.
new text end

new text begin (q) "Sensitive data" means personal data revealing racial or ethnic origin, religious or
philosophical beliefs, genetic data, biometric data to uniquely identify a natural person, data
concerning a minor, data concerning health, or data concerning a natural person's sex life
or sexual orientation.
new text end

new text begin (r) "Targeted advertising" means displaying advertisements to a consumer where the
advertisement is selected based on personal data obtained or inferred over time from a
consumer's:
new text end

new text begin (1) activities across nonaffiliate websites, applications, or online services to predict user
preferences or interests; or
new text end

new text begin (2) visits to a website, application, or online service that a reasonable consumer would
not expect to be associated with the publisher, based on lack of common branding,
trademarks, or other indicators of common ownership.
new text end

new text begin Targeted advertising does not include advertising to a consumer in response to the consumer's
request for information or feedback.
new text end

new text begin (s) "Third party" means a natural or legal person, public authority, agency, or body other
than a consumer, controller, or an affiliate of the processor or the controller.
new text end

new text begin Subd. 2. new text end

new text begin Application. new text end

new text begin (a) This section applies to legal entities that conduct business in
Minnesota or produce products or services that are intentionally targeted to residents of
Minnesota, provided the legal entity:
new text end

new text begin (1) controls or processes data of 100,000 consumers or more; or
new text end

new text begin (2) derives over 50 percent of gross revenue from the sale of personal information, and
processes or controls the personal information of 25,000 consumers or more.
new text end

new text begin (b) This section does not apply to:
new text end

new text begin (1) government entities, as defined in section 13.02, subdivision 7a;
new text end

new text begin (2) personal data sets to the extent regulated by sections 144.291 to 144.34, the federal
Health Insurance Portability and Accountability Act of 1996, the federal Health Information
Technology for Economic and Clinical Health Act of 2009, or the Gramm-Leach-Bliley
Act of 1999; or
new text end

new text begin (3) data sets maintained solely for employment record purposes.
new text end

new text begin Subd. 3. new text end

new text begin Responsibility. new text end

new text begin (a) Controllers must meet the obligations under this section.
new text end

new text begin (b) Processors must adhere to the instructions of the controller and assist the controller
to meet its obligations under this section.
new text end

new text begin (c) Processing by a processor must be governed by a contract between the controller
and the processor that is binding on the processor and that establishes the processing
instructions the processor is bound to.
new text end

new text begin Subd. 4. new text end

new text begin Consumer rights generally. new text end

new text begin (a) Upon a consumer's request, a controller must:
new text end

new text begin (1) confirm whether personal data concerning the consumer is being processed by the
controller;
new text end

new text begin (2) confirm whether the personal data is sold to data brokers;
new text end

new text begin (3) provide information regarding where personal data concerning the consumer is being
processed by the controller;
new text end

new text begin (4) provide access to personal data concerning the consumer that the controller maintains
in identifiable form;
new text end

new text begin (5) provide a copy of the personal data that the controller maintains in identifiable form
undergoing processing; and
new text end

new text begin (6) correct inaccurate personal data concerning the consumer that the controller maintains
in identifiable form within a reasonable period.
new text end

new text begin (b) If a consumer requests more than one copy of personal data, the controller may
charge a reasonable fee. The fee must be based on administrative costs. If the consumer
makes the request by electronic means, and unless otherwise requested by the consumer,
the information must be provided in a commonly used electronic form.
new text end

new text begin (c) A consumer must not be subject to a decision based solely on profiling which produces
legal effects concerning such consumer or similarly significantly affects the consumer.
Legal or similarly significant effects include but are not limited to denial of consequential
services or support for financial and lending services, housing, insurance, education
enrollment, criminal justice, employment opportunities, and health care services.
new text end

new text begin (d) Paragraph (c) does not apply if the decision is:
new text end

new text begin (1) necessary to enter into or perform a contract between the consumer and a controller;
new text end

new text begin (2) authorized by federal or state law the controller is subject to and that incorporates
suitable measures to safeguard the consumer's rights and legitimate interests, as indicated
by the risk assessments required under subdivision 12; or
new text end

new text begin (3) based on the consumer's consent.
new text end

new text begin (e) Notwithstanding paragraph (d), the controller must implement suitable measures,
including providing human review of the decision, to safeguard the consumer's rights and
legitimate interests with respect to decisions based solely on profiling, to express the
consumer's point of view with respect to the decision, and to contest the decision.
new text end

new text begin Subd. 5. new text end

new text begin Request for data deletion. new text end

new text begin (a) Upon a consumer's request, the controller must
delete the consumer's personal data without undue delay if:
new text end

new text begin (1) the personal data is no longer necessary to the purposes the personal data was collected
or otherwise processed for;
new text end

new text begin (2) the consumer withdraws consent to processing that requires consent under subdivision
12, and there are no other legitimate grounds for the processing;
new text end

new text begin (3) the consumer objects to the processing under subdivision 8 and (i) no overriding
legitimate grounds for the processing exist, or (ii) the processing is for direct marketing
purposes;
new text end

new text begin (4) the personal data has been unlawfully processed; or
new text end

new text begin (5) the personal data must be deleted to comply with a legal obligation under federal,
state, or local law the controller is subject to.
new text end

new text begin (b) If the controller is required under this section to delete personal data that has been
disclosed to third parties by the controller, including data brokers that received the data
through a sale, the controller must take reasonable steps, which may include technical
measures, to inform other controllers processing the personal data that the consumer has
requested the deletion by the other controllers of any links to, or copy or replication of, the
personal data. Compliance with this obligation must consider available technology and the
cost of implementation.
new text end

new text begin (c) This subdivision does not apply to the extent processing is necessary to:
new text end

new text begin (1) exercise the right to free speech;
new text end

new text begin (2) comply with a legal obligation that requires processing by federal, state, or local law
the controller is subject to, or perform a task carried out in the public interest or in the
exercise of official authority vested in the controller;
new text end

new text begin (3) support the public interest in the area of public health, provided the processing is (i)
subject to suitable and specific measures that safeguard the rights of the consumer, and (ii)
processed by or under the responsibility of a professional subject to confidentiality obligations
under federal, state, or local law;
new text end

new text begin (4) archive for purposes in the public interest, scientific or historical research purposes,
or statistical purposes, if the deletion of the personal data is likely to render impossible or
seriously impair achievement of the processing's objectives; or
new text end

new text begin (5) establish, exercise, or defend a legal claim.
new text end

new text begin Subd. 6. new text end

new text begin Request to restrict processing. new text end

new text begin (a) Upon a consumer's request, the controller
must restrict processing if:
new text end

new text begin (1) the consumer contests the accuracy of the personal data. The controller may restrict
processing for the period of time needed for the controller to verify the accuracy of the
personal data;
new text end

new text begin (2) the processing is unlawful, and the consumer opposes the deletion of the personal
data and requests that processing is restricted instead;
new text end

new text begin (3) the controller no longer needs the personal data for processing, but the personal data
is required by the consumer to establish, exercise, or defend a legal claim; or
new text end

new text begin (4) the consumer objects to processing under subdivision 8, pending verification of
whether the legitimate grounds of the controller override the consumer's objection.
new text end

new text begin (b) If personal data is subject to a processing restriction under this subdivision, the
personal data must, with the exception of storage, be processed only:
new text end

new text begin (1) with the consumer's consent;
new text end

new text begin (2) to establish, exercise, or defend a legal claim;
new text end

new text begin (3) to protect the rights of another natural or legal person; or
new text end

new text begin (4) for reasons of important public interest under federal, state, or local law.
new text end

new text begin (c) If a consumer obtains a processing restriction under this subdivision, the controller
must inform the consumer before lifting the processing restriction.
new text end

new text begin Subd. 7. new text end

new text begin Request for personal data. new text end

new text begin (a) Upon a consumer's request, the controller must
provide the consumer in a structured, commonly used, and machine-readable format any
personal data concerning the consumer that the controller maintains and that the consumer
has provided to the controller if:
new text end

new text begin (1) processing the personal data requires consent under subdivision 12, processing the
personal data is necessary for the performance of a contract the consumer is a party to, or
at the request of the consumer prior to entering into a contract; and
new text end

new text begin (2) the processing is carried out by automated means.
new text end

new text begin (b) Controllers must transmit the personal data requested under this subdivision (1)
directly from one controller to another where technically feasible, and (2) to another controller
without hindrance from the controller the personal data was provided to.
new text end

new text begin (c) Requests for personal data under this subdivision must be without prejudice to
subdivision 5.
new text end

new text begin (d) The rights provided under this subdivision do not apply to processing necessary to
perform a task carried out in the public interest or in the exercise of official authority vested
in the controller, and must not adversely affect the rights of others.
new text end

new text begin Subd. 8. new text end

new text begin Objection to processing. new text end

new text begin A consumer may object at any time, on grounds
relating to the consumer's particular situation, to processing personal data concerning the
consumer. When a consumer objects to targeted advertising, which includes the sale of
personal data concerning the consumer to third parties for direct targeted advertising, the
controller is prohibited from processing the personal data subject to the objection for direct
targeted advertising and must communicate the consumer's objection regarding any further
processing of the consumer's personal data to any third parties to whom the controller sold
the consumer's personal data for direct targeted advertising unless communication proves
impossible or involves disproportionate effort. Third parties must honor objection requests
under this subdivision received from third-party controllers. If a consumer objects to
processing for any purpose other than targeted advertising, the controller may continue
processing the personal data subject to the objection if the controller demonstrates a
compelling legitimate ground to process the personal data.
new text end

new text begin Subd. 9. new text end

new text begin Third parties. new text end

new text begin A controller must communicate any correction, deletion, or
restriction of processing carried out under this section to each third-party recipient, including
third parties that received the data through a sale, the personal data has been disclosed to
unless communication proves impossible or involves disproportionate effort. The controller
must inform the consumer about third-party recipients, if any, that have received the
consumer's personal data if the consumer requests the information.
new text end

new text begin Subd. 10. new text end

new text begin Timely action. new text end

new text begin (a) A controller must provide information on action taken in
response to a consumer request under this section within 30 days of the date the request is
received. That period may be extended for 60 additional days if necessary due to the
complexity and number of the requests. The controller must inform the consumer of the
extension and the reasons for the delay within 30 days of the date the request is received.
If the consumer makes the request by electronic means, the information must be provided
by electronic means if possible or unless otherwise requested by the consumer.
new text end

new text begin (b) If a controller does not take action on a consumer's request, the controller must inform
the consumer within 30 days of the date the request is received of the reasons for not taking
action and any possibility for internal review of the controller's decision.
new text end

new text begin (c) Information provided under this section must be provided by the controller free of
charge to the consumer. If a request from a consumer is manifestly unfounded, excessive,
or repetitive, the controller may:
new text end

new text begin (1) charge a reasonable fee based on the administrative costs to provide the information
or communication or take the action requested; or
new text end

new text begin (2) refuse to act on the request.
new text end

new text begin The controller bears the burden of demonstrating that the request is manifestly unfounded
or excessive.
new text end

new text begin (d) If the controller has reasonable doubts concerning the identity of the consumer making
a request under this section, the controller may request that the consumer provide additional
information necessary to confirm the consumer's identity.
new text end

new text begin Subd. 11. new text end

new text begin Notice. new text end

new text begin (a) Controllers must make available, in a form that is reasonably
accessible to consumers, a clear privacy notice that includes:
new text end

new text begin (1) the categories of personal data the controller collects;
new text end

new text begin (2) the purposes the categories of personal data are used and disclosed to third parties
for, if any;
new text end

new text begin (3) the rights consumers may exercise under this section;
new text end

new text begin (4) the categories of personal data the controller shares with third parties, if any; and
new text end

new text begin (5) the categories of third parties, if any, the controller shares personal data with.
new text end

new text begin (b) Controllers that engage in profiling must disclose the profiling to the consumer at
or before the time personal data is obtained. The disclosure must include information
regarding the logic involved, and the significance and potential consequences of the profiling.
new text end

new text begin (c) If a controller sells personal data to data brokers or processes personal data for targeted
advertising, it must disclose in a clear and prominent manner the processing and the manner
in which a consumer may exercise the right to object to the processing.
new text end

new text begin Subd. 12. new text end

new text begin Risk assessment. new text end

new text begin (a) Controllers must conduct risk assessments of each
processing activity the controller engages in that involves personal data, and must conduct
an additional risk assessment any time a change in processing occurs that materially increases
the risk to consumers. Risk assessments must consider the type of personal data processed
by the controller, including the extent to which the personal data is sensitive data or otherwise
sensitive in nature, and the context in which the personal data is processed.
new text end

new text begin (b) Risk assessments must identify and weigh the benefits that may flow directly and
indirectly to the controller, consumer, other stakeholders, and the public from the processing
against the potential risks, as mitigated by safeguards that can be employed by the controller
to reduce the risks, to the rights of the consumer associated with the processing. The use of
deidentified data and the reasonable expectations of consumers must be included in the
controller's assessment.
new text end

new text begin (c) If the risk assessment determines that the potential risks to the rights of the consumer
in processing the personal data of the consumer outweigh the interests of the controller,
consumer, other stakeholders, and the public, the controller may engage in processing only
if the consumer provides consent. Consent must be as easy to withdraw as it is to provide.
new text end

new text begin (d) Processing for a business purpose is presumed permissible unless:
new text end

new text begin (1) it involves processing sensitive data; and
new text end

new text begin (2) the risk of processing cannot be reduced through the use of appropriate administrative
and technical safeguards.
new text end

new text begin (e) The controller must make the risk assessment available to the attorney general upon
request. Risk assessments are nonpublic data, as defined in section 13.02, subdivision 9.
new text end

new text begin Subd. 13. new text end

new text begin Deidentified data. new text end

new text begin A controller or processor that uses deidentified data must
exercise reasonable oversight to monitor compliance with any contractual commitments
the deidentified data is subject to, and must take appropriate steps to address any breach of
a contractual commitment.
new text end

new text begin Subd. 14. new text end

new text begin Exemptions. new text end

new text begin (a) The obligations imposed on controllers or processors under
this section do not restrict a controller's or processor's ability to:
new text end

new text begin (1) comply with federal, state, or local laws;
new text end

new text begin (2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
summons by federal, state, local, or other governmental authorities;
new text end

new text begin (3) cooperate with law enforcement agencies concerning conduct or activity that the
controller or processor reasonably and in good faith believes may violate federal, state, or
local law;
new text end

new text begin (4) investigate, exercise, or defend legal claims; or
new text end

new text begin (5) prevent or detect identity theft, fraud, or other criminal activity.
new text end

new text begin (b) A controller or processor that discloses personal data to a third-party controller or
processor in compliance with this section does not violate this section if the third-party
recipient processes the personal data in violation of this section, provided that, at the time
the personal data was disclosed, the disclosing controller or processor did not have actual
knowledge that the third-party recipient intended to commit a violation. A third-party
recipient that receives personal data from a controller or processor is not liable under this
section for the obligations of a controller or processor it provides services to.
new text end

new text begin (c) This section does not require a controller or processor to:
new text end

new text begin (1) reidentify deidentified data;
new text end

new text begin (2) retain personal data concerning a consumer that it would not otherwise retain in the
ordinary course of business; or
new text end

new text begin (3) comply with a request to exercise under this section if the controller is unable to
verify, using commercially reasonable efforts, the identity of the consumer making the
request.
new text end

new text begin (d) Obligations imposed on controllers and processors under this section do not:
new text end

new text begin (1) adversely affect the rights of any person;
new text end

new text begin (2) apply to processing personal data by a natural person in the course of a personal or
household activity;
new text end

new text begin (3) apply if compliance by the controller or processor would violate an evidentiary
privilege; or
new text end

new text begin (4) prevent a controller or processor from providing personal data concerning a consumer
to a person covered by an evidentiary privilege as part of a privileged communication.
new text end

new text begin Subd. 15. new text end

new text begin Liability. new text end

new text begin (a) If more than one controller or processor, or both a controller
and a processor, involved in the same processing violates this section, liability must be
allocated among the parties on a comparative fault basis unless the liability is otherwise
allocated in a contract between the parties.
new text end

new text begin (b) A controller or processor violates this section if the controller or processor fails to
cure any alleged breach of this section within 30 days of the date notice of alleged
noncompliance is received. A controller or processor that violates this section is subject to
a civil penalty of not more than $2,500 for each violation or $7,500 for each intentional
violation.
new text end

new text begin Subd. 16. new text end

new text begin Enforcement. new text end

new text begin The attorney general may enforce this section under section
8.31. The attorney general may recover costs and disbursements, including costs of
investigation and reasonable attorney fees. Nothing in this section serves as the basis for a
private right of action.
new text end

new text begin EFFECTIVE DATE. new text end

new text begin This section is effective December 31, 2020.
new text end