Minnesota Legislature
SF 4247
as introduced - 91st Legislature (2019 - 2020) Posted on 03/11/2020 03:52pm
Current Version - as introduced
1.7 1.8
1.9 1.10 1.11 1.12 1.13 1.14 1.15 1.16 1.17 1.18 1.19 1.20 1.21 1.22 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 3.33 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17
5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31 6.32 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29
7.30 7.31 7.32 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19
9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30 9.31 9.32 9.33 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 10.33 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21
11.22 11.23 11.24 11.25 11.26 11.27 11.28 11.29 11.30 11.31 11.32 12.1 12.2 12.3 12.4 12.5 12.6 12.7 12.8 12.9 12.10 12.11 12.12 12.13 12.14 12.15 12.16 12.17 12.18
12.19 12.20 12.21 12.22 12.23 12.24 12.25 12.26 12.27 12.28 12.29 12.30 12.31 13.1 13.2 13.3 13.4 13.5 13.6 13.7 13.8 13.9 13.10 13.11 13.12 13.13 13.14 13.15 13.16 13.17 13.18 13.19 13.20 13.21 13.22 13.23 13.24 13.25 13.26 13.27 13.28 13.29 13.30 13.31 13.32 13.33 14.1 14.2 14.3 14.4 14.5 14.6 14.7 14.8 14.9 14.10 14.11 14.12 14.13 14.14 14.15 14.16 14.17 14.18 14.19 14.20
14.21 14.22 14.23 14.24 14.25 14.26 14.27 14.28 14.29 14.30 14.31 15.1 15.2 15.3 15.4 15.5 15.6 15.7 15.8 15.9 15.10 15.11 15.12 15.13 15.14 15.15 15.16 15.17 15.18 15.19 15.20 15.21 15.22 15.23 15.24 15.25 15.26 15.27 15.28 15.29
15.30 15.31 15.32 15.33 16.1 16.2 16.3 16.4 16.5 16.6 16.7 16.8 16.9 16.10 16.11 16.12 16.13 16.14 16.15 16.16 16.17 16.18 16.19 16.20 16.21 16.22 16.23 16.24 16.25 16.26 16.27 16.28 16.29 16.30 16.31 16.32 17.1 17.2 17.3 17.4 17.5 17.6 17.7 17.8 17.9 17.10 17.11 17.12 17.13 17.14 17.15 17.16 17.17 17.18 17.19 17.20 17.21 17.22 17.23 17.24 17.25 17.26 17.27 17.28 17.29 17.30 17.31 17.32 17.33 18.1 18.2 18.3 18.4 18.5 18.6 18.7 18.8 18.9 18.10 18.11 18.12 18.13 18.14 18.15 18.16 18.17 18.18 18.19 18.20 18.21 18.22 18.23 18.24 18.25
18.26 18.27 18.28 18.29 18.30 18.31 19.1 19.2 19.3 19.4 19.5 19.6 19.7 19.8 19.9 19.10 19.11 19.12 19.13 19.14 19.15 19.16 19.17 19.18 19.19 19.20 19.21 19.22 19.23 19.24 19.25 19.26 19.27 19.28 19.29 19.30 19.31 19.32 20.1 20.2 20.3 20.4 20.5 20.6 20.7 20.8 20.9 20.10 20.11 20.12 20.13 20.14 20.15 20.16 20.17 20.18 20.19 20.20 20.21 20.22 20.23 20.24 20.25 20.26 20.27 20.28 20.29 20.30 20.31 21.1 21.2 21.3
21.4 21.5 21.6 21.7 21.8 21.9 21.10 21.11 21.12 21.13 21.14 21.15 21.16 21.17 21.18
21.19 21.20 21.21 21.22
21.23 21.24 21.25 21.26 21.27 21.28 21.29
22.1 22.2 22.3 22.4
A bill for an act
relating to consumer data privacy; giving various rights to consumers regarding
personal data; placing obligations on businesses regarding consumer data; providing
for enforcement by the attorney general; requiring a report; proposing coding for
new law as Minnesota Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
new text begin
[325O.01] CITATION.
new text end
new text begin
This chapter may be cited as the "Minnesota Consumer Data Privacy Act."
new text end
Sec. 2.
new text begin
[325O.02] DEFINITIONS.
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with, that other legal entity. For these purposes, "control" or "controlled" means:
ownership of, or the power to vote, more than 50 percent of the outstanding shares of any
class of voting security of a company; control in any manner over the election of a majority
of the directors or of individuals exercising similar functions; or the power to exercise a
controlling influence over the management of a company.
new text end
new text begin
(c) "Authenticate" means to use reasonable means to determine that a request to exercise
any of the rights in section 325O.05, subdivision 1, clauses (1) to (4), is being made by the
consumer who is entitled to exercise such rights with respect to the personal data at issue.
new text end
new text begin
(d) "Child" means any natural person under 13 years of age.
new text end
new text begin
(e) "Consent" means a clear affirmative act signifying a freely given, specific, informed,
and unambiguous indication of a consumer's agreement to the processing of personal data
relating to the consumer, such as by a written statement, including by electronic means or
other clear affirmative action.
new text end
new text begin
(f) "Consumer" means a natural person who is a Minnesota resident acting only in an
individual or household context. It does not include a natural person acting in a commercial
or employment context.
new text end
new text begin
(g) "Controller" means the natural or legal person which, alone or jointly with others,
determines the purposes and means of the processing of personal data.
new text end
new text begin
(h) "Decisions that produce legal effects concerning a consumer or similarly significant
effects concerning a consumer" means decisions that result in the provision or denial of
financial and lending services, housing, insurance, education enrollment, criminal justice,
employment opportunities, health care services, or access to basic necessities, such as food
and water.
new text end
new text begin
(i) "Deidentified data" means data that cannot reasonably be used to infer information
about, or otherwise be linked to, an identified or identifiable natural person, or a device
linked to such person, provided that the controller that possesses the data:
new text end
new text begin
(1) takes reasonable measures to ensure that the data cannot be associated with a natural
person;
new text end
new text begin
(2) publicly commits to maintain and use the data only in a deidentified fashion and not
attempt to reidentify the data; and
new text end
new text begin
(3) contractually obligates any recipients of the information to comply with all provisions
of this paragraph.
new text end
new text begin
(j) "Enroll," "enrolled," or "enrolling" means the process by which a facial recognition
service creates a facial template from one or more images of a consumer and adds the facial
template to a gallery used by the facial recognition service for identification, verification,
or persistent tracking of consumers. It also includes the act of adding an existing facial
template directly into a gallery used by a facial recognition service.
new text end
new text begin
(k) "Facial recognition service" means technology that analyzes facial features and is
used for the identification, verification, or persistent tracking of consumers in still or video
images.
new text end
new text begin
(l) "Facial template" means the machine-interpretable pattern of facial features that is
extracted from one or more images of a consumer by a facial recognition service.
new text end
new text begin
(m) "Identification" means the use of a facial recognition service by a controller to
determine whether an unknown consumer matches any consumer whose identity is known
to the controller and who has been enrolled by reference to that identity in a gallery used
by the facial recognition service.
new text end
new text begin
(n) "Identified or identifiable natural person" means a person who can be readily
identified, directly or indirectly.
new text end
new text begin
(o) "Meaningful human review" means review or oversight by one or more individuals
who are trained in accordance with section 325O.085, paragraph (k), and who have the
authority to alter the decision under review.
new text end
new text begin
(p) "Persistent tracking" means the use of a facial recognition service to track the
movements of a consumer on a persistent basis without identification or verification of that
consumer. Such tracking becomes persistent as soon as:
new text end
new text begin
(1) the facial template that permits the tracking uses a facial recognition service for more
than 48 hours after the first enrolling of that template; or
new text end
new text begin
(2) the data created by the facial recognition service in connection with the tracking of
the movements of the consumer are linked to any other data such that the consumer who
has been tracked is identified or identifiable.
new text end
new text begin
(q) "Personal data" means any information that is linked or reasonably linkable to an
identified or identifiable natural person. Personal data does not include deidentified data or
publicly available information. For purposes of this paragraph, "publicly available
information" means information that is lawfully made available from federal, state, or local
government records.
new text end
new text begin
(r) "Process" or "processing" means any operation or set of operations that are performed
on personal data or on sets of personal data, whether or not by automated means, such as
the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
new text end
new text begin
(s) "Processor" means a natural or legal person who processes personal data on behalf
of a controller.
new text end
new text begin
(t) "Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects concerning an identified or identifiable natural person's
economic situation, health, personal preferences, interests, reliability, behavior, location,
or movements.
new text end
new text begin
(u) "Pseudonymous data" means personal data that cannot be attributed to a specific
natural person without the use of additional information, provided that such additional
information is kept separately and is subject to appropriate technical and organizational
measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.
new text end
new text begin
(v) "Recognition" means the use of a facial recognition service to determine whether:
new text end
new text begin
(1) an unknown consumer matches any consumer who has been enrolled in a gallery
used by the facial recognition service; or
new text end
new text begin
(2) an unknown consumer matches a specific consumer who has been enrolled in a
gallery used by the facial recognition service.
new text end
new text begin
(w) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other
valuable consideration by the controller to a third party. Sale does not include the following:
new text end
new text begin
(1) the disclosure of personal data to a processor who processes the personal data on
behalf of the controller;
new text end
new text begin
(2) the disclosure of personal data to a third party with whom the consumer has a direct
relationship for purposes of providing a product or service requested by the consumer;
new text end
new text begin
(3) the disclosure or transfer of personal data to an affiliate of the controller;
new text end
new text begin
(4) the disclosure of information that the consumer intentionally made available to the
general public via a channel of mass media, and did not restrict to a specific audience; or
new text end
new text begin
(5) the disclosure or transfer of personal data to a third party as an asset that is part of a
merger, acquisition, bankruptcy, or other transaction in which the third party assumes control
of all or part of the controller's assets.
new text end
new text begin
(x) "Security or safety purpose" means physical security, protection of consumer data,
safety, fraud prevention, or asset protection.
new text end
new text begin
(y) Sensitive data is a form of personal data. "Sensitive data" means:
new text end
new text begin
(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical
health condition or diagnosis, sexual orientation, or citizenship or immigration status;
new text end
new text begin
(2) the processing of genetic or biometric data for the purpose of uniquely identifying
a natural person;
new text end
new text begin
(3) the personal data from a known child; or
new text end
new text begin
(4) specific geolocation data.
new text end
new text begin
(z) "Specific geolocation data" means information derived from technology, including
but not limited to global positioning system level latitude and longitude coordinates or other
mechanisms, that directly identifies the specific location of a natural person with the precision
and accuracy below 1,750 feet. Specific geolocation data excludes the content of
communications.
new text end
new text begin
(aa) "Targeted advertising" means displaying advertisements to a consumer where the
advertisement is selected based on personal data obtained from a consumer's activities over
time and across nonaffiliated websites or online applications to predict such consumer's
preferences or interests. It does not include advertising:
new text end
new text begin
(1) based on activities within a controller's own websites or online applications;
new text end
new text begin
(2) based on the context of a consumer's current search query or visit to a website or
online application; or
new text end
new text begin
(3) to a consumer in response to the consumer's request for information or feedback.
new text end
new text begin
(bb) "Third party" means a natural or legal person, public authority, agency, or body
other than the consumer, controller, processor, or an affiliate of the processor or the controller.
new text end
new text begin
(cc) "Verification" means the use of a facial recognition service by a controller to
determine whether a consumer is a specific consumer whose identity is known to the
controller and who has been enrolled by reference to that identity in a gallery used by the
facial recognition service.
new text end
Sec. 3.
new text begin
[325O.03] SCOPE; EXCLUSIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Scope. new text end
new text begin
This chapter applies to legal entities that conduct business in
Minnesota or produce products or services that are targeted to residents of Minnesota, and
that satisfy one or more of the following thresholds:
new text end
new text begin
(1) during a calendar year, controls or processes personal data of 100,000 consumers or
more; or
new text end
new text begin
(2) derives over 50 percent of gross revenue from the sale of personal data and processes
or controls personal data of 25,000 consumers or more.
new text end
new text begin Subd. 2. new text end
new text begin Exclusions. new text end
new text begin
(a) This chapter does not apply to the following entities or types
of information:
new text end
new text begin
(1) a government entity, as defined by section 13.02, subdivision 7a;
new text end
new text begin
(2) a federally recognized Indian tribe;
new text end
new text begin
(3) information that meets the definition of:
new text end
new text begin
(i) protected health information as defined by and for purposes of the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;
new text end
new text begin
(ii) health records, as defined in section 144.291, subdivision 2;
new text end
new text begin
(iii) patient identifying information for purposes of Code of Federal Regulations, title
42, part 2, established pursuant to United States Code, title 42, section 290dd-2;
new text end
new text begin
(iv) identifiable private information for purposes of the federal policy for the protection
of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private
information that is otherwise information collected as part of human subjects research
pursuant to the good clinical practice guidelines issued by the International Council for
Harmonisation; the protection of human subjects under Code of Federal Regulations, title
21, parts 50 and 56; or personal data used or shared in research conducted in accordance
with one or more of the requirements set forth in this paragraph;
new text end
new text begin
(v) information and documents created for purposes of the federal Health Care Quality
Improvement Act of 1986, Public Law 99-660, and related regulations; or
new text end
new text begin
(vi) patient safety work product for purposes of Code of Federal Regulations, title 42,
part 3, established pursuant to United States Code, title 42, sections 299b-21 to 299b-26;
new text end
new text begin
(4) information that is derived from any of the health care-related information listed in
clause (2), but that has been deidentified in accordance with the requirements for
deidentification set forth in Code of Federal Regulations, title 45, part 164;
new text end
new text begin
(5) information originating from, and intermingled to be indistinguishable with, any of
the health care-related information listed in clause (2) that is maintained by:
new text end
new text begin
(i) a covered entity or business associate as defined by the Health Insurance Portability
and Accountability Act of 1996, Public Law 104-191, and related regulations;
new text end
new text begin
(ii) a health care provider, as defined in section 144.291, subdivision 2; or
new text end
new text begin
(iii) a program or a qualified service organization as defined by Code of Federal
Regulations, title 42, part 2, established pursuant to United States Code, title 42, section
290dd-2;
new text end
new text begin
(6) information used only for public health activities and purposes as described in Code
of Federal Regulations, title 45, section 164.512;
new text end
new text begin
(7) an activity involving the collection, maintenance, disclosure, sale, communication,
or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or mode of living by a
consumer reporting agency, as defined in United States Code, title 15, section 1681a(f), by
a furnisher of information, as set forth in United States Code, title 15, section 1681s-2, who
provides information for use in a consumer report, as defined in United States Code, title
15, section 1681a(d), and by a user of a consumer report, as set forth in United States Code,
title 15, section 1681b, except that information is only excluded under this paragraph to the
extent that such activity involving the collection, maintenance, disclosure, sale,
communication, or use of such information by that agency, furnisher, or user is subject to
regulation under the federal Fair Credit Reporting Act, United States Code, title 15, sections
1681 to 1681x, and the information is not collected, maintained, used, communicated,
disclosed, or sold except as authorized by the Fair Credit Reporting Act;
new text end
new text begin
(8) personal data collected, processed, sold, or disclosed pursuant to the federal
Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the
collection, processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(9) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's
Privacy Protection Act of 1994, United States Code, title 18, sections 2721 to 2725, if the
collection, processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(10) personal data regulated by the federal Family Educations Rights and Privacy Act,
United States Code, title 20, section 1232g, and its implementing regulations;
new text end
new text begin
(11) personal data collected, processed, sold, or disclosed pursuant to the federal Farm
Credit Act of 1971, as amended, United States Code, title 12, sections 2001 to 2279cc, and
its implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection,
processing, sale, or disclosure is in compliance with that law;
new text end
new text begin
(12) information maintained for employment records purposes; or
new text end
new text begin
(13) personal data collected, processed, sold, or disclosed pursuant to the Minnesota
Insurance Fair Information Reporting Act in sections 72A.49 to 72A.505.
new text end
new text begin
(b) Controllers that are in compliance with the verifiable parental consent mechanisms
under the federal Children's Online Privacy Protection Act, United States Code, title 15,
sections 6501 to 6506, and its implementing regulations, shall be deemed compliant with
any obligation to obtain parental consent under this chapter.
new text end
Sec. 4.
new text begin
[325O.04] RESPONSIBILITY ACCORDING TO ROLE.
new text end
new text begin
(a) Controllers and processors are responsible for meeting their respective obligations
established under this chapter.
new text end
new text begin
(b) Processors are responsible under this chapter for adhering to the instructions of the
controller and assisting the controller to meet its obligations under this chapter. Such
assistance shall include the following:
new text end
new text begin
(1) taking into account the nature of the processing, the processor shall assist the controller
by appropriate technical and organizational measures, insofar as this is possible, for the
fulfillment of the controller's obligation to respond to consumer requests to exercise their
rights pursuant to section 325O.05; and
new text end
new text begin
(2) taking into account the nature of processing and the information available to the
processor, the processor shall assist the controller in meeting the controller's obligations in
relation to the security of processing the personal data and in relation to the notification of
a breach of the security of the system pursuant to section 325E.61, and shall provide
information to the controller necessary to enable the controller to conduct and document
any data protection assessments required by section 325O.08.
new text end
new text begin
(c) Notwithstanding the instructions of the controller, a processor shall:
new text end
new text begin
(1) implement and maintain reasonable security procedures and practices to protect
personal data, taking into account the context in which the personal data are to be processed;
new text end
new text begin
(2) ensure that each person processing the personal data is subject to a duty of
confidentiality with respect to the data; and
new text end
new text begin
(3) engage a subcontractor only (i) after providing the controller with an opportunity to
object and (ii) pursuant to a written contract in accordance with paragraph (e) that requires
the subcontractor to meet the obligations of the processor with respect to the personal data.
new text end
new text begin
(d) Processing by a processor shall be governed by a contract between the controller
and the processor that is binding on both parties and that sets out the processing instructions
to which the processor is bound, including the nature and purpose of the processing, the
type of personal data subject to the processing, the duration of the processing, and the
obligations and rights of both parties. In addition, the contract shall include the requirements
imposed by this paragraph and paragraph (c), as well as the following requirements:
new text end
new text begin
(1) at the choice of the controller, the processor shall delete or return all personal data
to the controller as requested at the end of the provision of services, unless retention of the
personal data is required by law;
new text end
new text begin
(2) the processor shall make available to the controller all information necessary to
demonstrate compliance with the obligations in this chapter; and
new text end
new text begin
(3) the processor shall allow for, and contribute to, reasonable audits and inspections by
the controller or the controller's designated auditor. Alternatively, the processor may, with
the controller's consent, arrange for a qualified and independent auditor to conduct, at least
annually and at the processor's expense, an audit of the processor's policies and technical
and organizational measures in support of the obligations under this chapter. The auditor
must use an appropriate and accepted control standard or framework and audit procedure
for such audits as applicable, and shall provide a report of such audit to the controller upon
request.
new text end
new text begin
(e) In no event shall any contract relieve a controller or a processor from the liabilities
imposed on them by virtue of its role in the processing relationship as defined by this chapter.
new text end
new text begin
(f) Determining whether a person is acting as a controller or processor with respect to
a specific processing of data is a fact-based determination that depends upon the context in
which personal data are to be processed. A person that is not limited in the person's processing
of personal data pursuant to a controller's instructions, or that fails to adhere to such
instructions, is a controller and not a processor with respect to a specific processing of data.
A processor that continues to adhere to a controller's instructions with respect to a specific
processing of personal data remains a processor. If a processor begins, alone or jointly with
others, determining the purposes and means of the processing of personal data, it is a
controller with respect to such processing.
new text end
Sec. 5.
new text begin
[325O.05] CONSUMER PERSONAL DATA RIGHTS.
new text end
new text begin Subdivision 1. new text end
new text begin Consumer rights. new text end
new text begin
Consumers may exercise the rights set forth in this
paragraph by submitting a request, at any time, to a controller specifying which rights the
consumer wishes to exercise. In the case of processing personal data concerning a known
child, the parent or legal guardian of the known child shall exercise the rights of this chapter
on the child's behalf. Except as provided in this chapter, the controller must comply with a
request to exercise the following consumer rights:
new text end
new text begin
(1) right to access: a consumer has the right to confirm whether or not a controller is
processing personal data concerning the consumer and to access such personal data;
new text end
new text begin
(2) right to correction: a consumer has the right to correct inaccurate personal data
concerning the consumer, taking into account the nature of the personal data and the purposes
of the processing of the personal data;
new text end
new text begin
(3) right to deletion: a consumer has the right to delete personal data concerning the
consumer;
new text end
new text begin
(4) right to data portability: a consumer has the right to obtain personal data concerning
the consumer, which the consumer previously provided to the controller, in a portable and,
to the extent technically feasible, readily usable format that allows the consumer to transmit
the data to another controller without hindrance, where the processing is carried out by
automated means; and
new text end
new text begin
(5) right to opt out: a consumer has the right to opt out of the processing of personal
data concerning the consumer for purposes of targeted advertising, the sale of personal data,
or profiling in furtherance of decisions that produce legal effects concerning a consumer or
similarly significant effects concerning a consumer.
new text end
new text begin Subd. 2. new text end
new text begin Controller response to consumer requests. new text end
new text begin
(a) A controller must inform a
consumer of any action taken on a request under subdivision 1, clauses (1) to (5), without
undue delay and in any event within 45 days of receipt of the request. That period may be
extended once by 45 additional days where reasonably necessary, taking into account the
complexity and number of the requests. The controller must inform the consumer of any
such extension within 45 days of receipt of the request, together with the reasons for the
delay.
new text end
new text begin
(b) If a controller does not take action on the request of a consumer, the controller must
inform the consumer without undue delay and at the latest within 45 days of receipt of the
request of the reasons for not taking action and instructions for how to appeal the decision
with the controller as described in subdivision 3.
new text end
new text begin
(c) Information provided under this section must be provided by the controller free of
charge, up to twice annually to the consumer. Where requests from a consumer are manifestly
unfounded or excessive, in particular because of their repetitive character, the controller
may either charge a reasonable fee to cover the administrative costs of complying with the
request, or refuse to act on the request. The controller bears the burden of demonstrating
the manifestly unfounded or excessive character of the request.
new text end
new text begin
(d) A controller is not required to comply with a request to exercise any of the rights
under subdivision 1, clauses (1) to (4), if the controller is unable to authenticate the request
using commercially reasonable efforts. In such cases, the controller may request the provision
of additional information reasonably necessary to authenticate the request.
new text end
new text begin Subd. 3. new text end
new text begin Appeal process required. new text end
new text begin
(a) Controllers must establish an internal process
whereby consumers may appeal a refusal to take action on a request to exercise any of the
rights under subdivision 1, clauses (1) to (5), within a reasonable period of time after the
consumer's receipt of the notice sent by the controller under paragraph (b) of subdivision
2.
new text end
new text begin
(b) The appeal process must be conspicuously available and as easy to use as the process
for submitting such requests under this section.
new text end
new text begin
(c) Within 30 days of receipt of an appeal, a controller must inform the consumer of any
action taken or not taken in response to the appeal, along with a written explanation of the
reasons in support thereof. That period may be extended by 60 additional days where
reasonably necessary, taking into account the complexity and number of the requests serving
as the basis for the appeal. The controller must inform the consumer of any such extension
within 30 days of receipt of the appeal, together with the reasons for the delay. The controller
must also provide the consumer with an e-mail address or other online mechanism through
which the consumer may submit the appeal, along with any action taken or not taken by the
controller in response to the appeal and the controller's written explanation of the reasons
in support thereof, to the attorney general.
new text end
new text begin
(d) When informing a consumer of any action taken or not taken in response to an appeal
pursuant to paragraph (c), the controller must clearly and prominently ask the consumer
whether the consumer consents to having the controller submit the appeal, along with any
action taken or not taken by the controller in response to the appeal and must, upon request,
provide the controller's written explanation of the reasons in support thereof, to the attorney
general. If the consumer provides such consent, the controller must submit such information
to the attorney general.
new text end
Sec. 6.
new text begin
[325O.06] PROCESSING DEIDENTIFIED DATA OR PSEUDONYMOUS
DATA.
new text end
new text begin
(a) This chapter does not require a controller or processor to do any of the following
solely for purposes of complying with this chapter:
new text end
new text begin
(1) reidentify deidentified data;
new text end
new text begin
(2) maintain data in identifiable form, or collect, obtain, retain, or access any data or
technology, in order to be capable of associating an authenticated consumer request with
personal data; or
new text end
new text begin
(3) comply with an authenticated consumer request to access, correct, delete, or port
personal data pursuant to section 325O.05, subdivision 1, clauses (1) to (4), if all of the
following are true:
new text end
new text begin
(i) the controller is not reasonably capable of associating the request with the personal
data, or it would be unreasonably burdensome for the controller to associate the request
with the personal data;
new text end
new text begin
(ii) the controller does not use the personal data to recognize or respond to the specific
consumer who is the subject of the personal data, or associate the personal data with other
personal data about the same specific consumer; and
new text end
new text begin
(iii) the controller does not sell the personal data to any third party or otherwise
voluntarily disclose the personal data to any third party other than a processor, except as
otherwise permitted in this section.
new text end
new text begin
(b) The rights contained in section 325O.05, subdivision 1, clauses (1) to (4), do not
apply to pseudonymous data in cases where the controller is able to demonstrate any
information necessary to identify the consumer is kept separately and is subject to effective
technical and organizational controls that prevent the controller from accessing such
information.
new text end
new text begin
(c) A controller that uses pseudonymous data or deidentified data must exercise reasonable
oversight to monitor compliance with any contractual commitments to which the
pseudonymous data or deidentified data are subject, and must take appropriate steps to
address any breaches of contractual commitments.
new text end
Sec. 7.
new text begin
[325O.07] RESPONSIBILITIES OF CONTROLLERS.
new text end
new text begin Subdivision 1. new text end
new text begin Transparency obligations. new text end
new text begin
(a) Controllers shall provide consumers with
a reasonably accessible, clear, and meaningful privacy notice that includes:
new text end
new text begin
(1) the categories of personal data processed by the controller;
new text end
new text begin
(2) the purposes for which the categories of personal data are processed;
new text end
new text begin
(3) how and where consumers may exercise the rights contained in section 325O.05,
including how a consumer may appeal a controller's action with regard to the consumer's
request;
new text end
new text begin
(4) the categories of personal data that the controller shares with third parties, if any;
and
new text end
new text begin
(5) the categories of third parties, if any, with whom the controller shares personal data.
new text end
new text begin
(b) If a controller sells personal data to third parties or processes personal data for targeted
advertising, it must clearly and conspicuously disclose such processing, as well as the manner
in which a consumer may exercise the right to opt out of such processing, in a clear and
conspicuous manner.
new text end
new text begin
(c) A controller shall establish and describe in the privacy notice one or more secure
and reliable means for consumers to submit a request to exercise their rights under this
chapter. Such means shall take into account the ways in which consumers interact with the
controller, the need for secure and reliable communication of such requests, and the
controller's ability to authenticate the identity of the consumer making the request. A
controller shall not require a consumer to create a new account in order to exercise a right,
but a controller may require a consumer to use an existing account to exercise the consumer's
rights under this chapter.
new text end
new text begin Subd. 2. new text end
new text begin Use of data. new text end
new text begin
(a) A controller's collection of personal data must be limited to
what is reasonably necessary in relation to the purposes for which such data are processed,
as disclosed to the consumer.
new text end
new text begin
(b) A controller's collection of personal data must be adequate, relevant, and limited to
what is reasonably necessary in relation to the purposes for which such data are processed,
as disclosed to the consumer.
new text end
new text begin
(c) Except as provided in this chapter, a controller may not process personal data for
purposes that are not reasonably necessary to, or compatible with, the purposes for which
such personal data are processed, as disclosed to the consumer, unless the controller obtains
the consumer's consent.
new text end
new text begin
(d) A controller shall establish, implement, and maintain reasonable administrative,
technical, and physical data security practices to protect the confidentiality, integrity, and
accessibility of personal data. Such data security practices shall be appropriate to the volume
and nature of the personal data at issue.
new text end
new text begin
(e) Except as otherwise provided in this act, a controller may not process sensitive data
concerning a consumer without obtaining the consumer's consent, or, in the case of the
processing of personal data concerning a known child, without obtaining consent from the
child's parent or lawful guardian, in accordance with the children's online privacy protection
act requirements.
new text end
new text begin
(f) A controller may not sell personal data to a third-party controller as part of such a
program unless:
new text end
new text begin
(1) the sale is reasonably necessary to enable the third party to provide a benefit to which
the consumer is entitled;
new text end
new text begin
(2) the sale of personal data to third parties is clearly disclosed in the terms of the
program; and
new text end
new text begin
(3) the third party uses the personal data only for purposes of facilitating such benefit
to which the consumer is entitled and does not retain or otherwise use or disclose the personal
data for any other purpose.
new text end
new text begin
(g) A controller may not enroll a consumer in a facial recognition service in connection
with a bona fide loyalty, rewards, premium features, discounts, or club card program.
new text end
new text begin Subd. 3. new text end
new text begin Nondiscrimination; waiver of rights unenforceable. new text end
new text begin
(a) A controller may
not process personal data in violation of state and federal laws that prohibit unlawful
discrimination against consumers. A controller shall not discriminate against a consumer
for exercising any of the rights contained in this chapter, including denying goods or services
to the consumer, charging different prices or rates for goods or services, and providing a
different level of quality of goods or services to the consumer. This paragraph shall not
prohibit a controller from offering a different price, rate, level, quality, or selection of goods
or services to a consumer, including offering goods or services for no fee, if the offering is
in connection with a consumer's voluntary participation in a bona fide loyalty, rewards,
premium features, discounts, or club card program.
new text end
new text begin
(b) Any provision of a contract or agreement of any kind that purports to waive or limit
in any way a consumer's rights under this chapter shall be deemed contrary to public policy
and shall be void and unenforceable.
new text end
Sec. 8.
new text begin
[325O.08] DATA PROTECTION ASSESSMENTS.
new text end
new text begin
(a) Controllers must conduct and document a data protection assessment of each of the
following processing activities involving personal data:
new text end
new text begin
(1) the processing of personal data for purposes of targeted advertising;
new text end
new text begin
(2) the sale of personal data;
new text end
new text begin
(3) the processing of sensitive data;
new text end
new text begin
(4) any processing activities involving personal data that present a heightened risk of
harm to consumers; and
new text end
new text begin
(5) the processing of personal data for purposes of profiling, where such profiling presents
a reasonably foreseeable risk of:
new text end
new text begin
(i) unfair or deceptive treatment of, or disparate impact on, consumers;
new text end
new text begin
(ii) financial, physical, or reputational injury to consumers;
new text end
new text begin
(iii) a physical or other intrusion upon the solitude or seclusion, or the private affairs or
concerns, of consumers, where such intrusion would be offensive to a reasonable person;
or
new text end
new text begin
(iv) other substantial injury to consumers.
new text end
new text begin
(b) Data protection assessments must take into account the type of personal data to be
processed by the controller, including the extent to which the personal data are sensitive
data, and the context in which the personal data are to be processed.
new text end
new text begin
(c) Data protection assessments must identify and weigh the benefits that may flow
directly and indirectly from the processing to the controller, consumer, other stakeholders,
and the public against the potential risks to the rights of the consumer associated with such
processing, as mitigated by safeguards that can be employed by the controller to reduce
such risks. The use of deidentified data and the reasonable expectations of consumers, as
well as the context of the processing and the relationship between the controller and the
consumer whose personal data will be processed, must be factored into this assessment by
the controller.
new text end
new text begin
(d) The attorney general may request, in writing, that a controller disclose any data
protection assessment that is relevant to an investigation conducted by the attorney general.
The controller must make a data protection assessment available to the attorney general
upon such a request. The attorney general may evaluate the data protection assessments for
compliance with the responsibilities contained in section 325O.07 and with other laws. Data
protection assessments are classified as nonpublic data, as defined by section 13.02,
subdivision 9. The disclosure of a data protection assessment pursuant to a request from the
attorney general under this paragraph does not constitute a waiver of the attorney-client
privilege or work product protection with respect to the assessment and any information
contained in the assessment.
new text end
new text begin
(e) Data protection assessments conducted by a controller for the purpose of compliance
with other laws or regulations may qualify under this section if they have a similar scope
and effect.
new text end
Sec. 9.
new text begin
[325O.085] FACIAL RECOGNITION.
new text end
new text begin
(a) Processors that provide facial recognition services must make available an application
programming interface or other technical capability, chosen by the processor, to enable
controllers or third parties to conduct legitimate, independent, and reasonable tests of those
facial recognition services for accuracy and unfair performance differences across distinct
subpopulations, provided that making such an application programming interface or other
technical capability available does not require the disclosure of proprietary data, trade
secrets, intellectual property, or other information, or if doing so would increase the risk of
cyberattacks including but not limited to cyberattacks related to unique methods of conducting
business, data unique to the product or services, or determining prices or rates to be charged
for services.
new text end
new text begin
(b) If the results of independent testing under paragraph (a) identify material unfair
performance differences across subpopulations and the methodology, data, and results are
disclosed in a manner that allow full reproduction of the testing directly to the processor,
who, acting reasonably, determines that the methodology and results of that testing are valid,
then the processor must develop and implement a plan to mitigate the identified performance
differences. Nothing in this paragraph prevents a processor from prohibiting the use of the
processor's facial recognition service by a competitor for competitive purposes.
new text end
new text begin
(c) For purposes of this section, subpopulations are defined by visually detectable
characteristics, such as:
new text end
new text begin
(1) race, skin tone, ethnicity, gender, age, or disability status; or
new text end
new text begin
(2) other protected characteristics that are objectively determinable or self-identified by
the individuals portrayed in the testing dataset.
new text end
new text begin
(d) Processors that provide facial recognition services must provide documentation that
includes general information that explains the capabilities and limitations of the services in
plain language, and enables testing of the services in accordance with this section.
new text end
new text begin
(e) Processors that provide facial recognition services must prohibit, in the contract
required by section 325O.05, the use of facial recognition services by controllers to
unlawfully discriminate under federal or state law against individual consumers or groups
of consumers.
new text end
new text begin
(f) Controllers must provide a conspicuous and contextually appropriate notice whenever
a facial recognition service is deployed in a physical premise open to the public that includes,
at minimum, the following:
new text end
new text begin
(1) the purpose or purposes for which the facial recognition service is deployed; and
new text end
new text begin
(2) information about where consumers can obtain additional information about the
facial recognition service including but not limited to a link to any applicable online notice,
terms, or policy that provides information about where and how consumers can exercise
any rights that they have with respect to the facial recognition service.
new text end
new text begin
(g) Subject to paragraph (h), controllers must obtain consent from a consumer prior to
enrolling an image of that consumer in a facial recognition service used in a physical premise
open to the public.
new text end
new text begin
(h) Controllers may enroll an image of a consumer in a facial recognition service for a
security or safety purpose without first obtaining consent from that consumer, provided that
all of the following requirements are met:
new text end
new text begin
(1) the controller must hold a reasonable suspicion, based on a specific incident, that
the consumer has engaged in criminal activity, which includes but is not limited to shoplifting,
fraud, stalking, or domestic violence;
new text end
new text begin
(2) any database used by a facial recognition service for identification, verification, or
persistent tracking of consumers for a security or safety purpose must be used solely for
that purpose and maintained separately from any other databases maintained by the controller;
new text end
new text begin
(3) the controller must review any such database used by the controller's facial recognition
service no less than annually to remove facial templates of consumers whom the controller
no longer holds a reasonable suspicion that they have engaged in criminal activity; and
new text end
new text begin
(4) the controller must establish an internal process whereby a consumer may correct
or challenge the decision to enroll the image of the consumer in a facial recognition service
for a security or safety purpose.
new text end
new text begin
(i) Controllers using a facial recognition service to make decisions that produce legal
effects on consumers or similarly significant effects on consumers must ensure that those
decisions are subject to meaningful human review.
new text end
new text begin
(j) Prior to deploying a facial recognition service in the context in which it will be used,
controllers using a facial recognition service to make decisions that produce legal effects
on consumers or similarly significant effects on consumers must test the facial recognition
service in operational conditions. Controllers must take commercially reasonable steps to
ensure best quality results by following all reasonable guidance provided by the developer
of the facial recognition service.
new text end
new text begin
(k) Controllers using a facial recognition service must conduct periodic training of all
individuals that operate a facial recognition service or that process personal data obtained
from the use of facial recognition services. Such training shall include but not be limited to
coverage of:
new text end
new text begin
(1) the capabilities and limitations of the facial recognition service;
new text end
new text begin
(2) procedures to interpret and act on the output of the facial recognition service; and
new text end
new text begin
(3) the meaningful human review requirement for decisions that produce legal effects
on consumers or similarly significant effects on consumers, to the extent applicable to the
deployment context.
new text end
new text begin
(l) Controllers shall not knowingly disclose personal data obtained from a facial
recognition service to a law enforcement agency, except when such disclosure is:
new text end
new text begin
(1) pursuant to the consent of the consumer to whom the personal data relates;
new text end
new text begin
(2) required by federal, state, or local law in response to a court order, court-ordered
warrant, or subpoena or summons issued by a judicial officer or grand jury;
new text end
new text begin
(3) necessary to prevent or respond to an emergency involving danger of death or serious
physical injury to any person, upon a good faith belief by the controller; or
new text end
new text begin
(4) to the National Center for Missing and Exploited Children, in connection with a
report submitted thereto under United States Code, title 18, section 2258A.
new text end
new text begin
(m) Controllers that deploy a facial recognition service must respond to a consumer
request to exercise the rights specified in section 325O.05 and must fulfill the responsibilities
identified in section 325O.07.
new text end
new text begin
(n) Voluntary facial recognition services used to verify an aviation passenger's identity
in connection with services regulated by the secretary of transportation under United States
Code, title 49, section 41712, and exempt from state regulation under United States Code,
title 49, section 41713(b)(1), are exempt from this section. Images captured by an airline
must not be retained for more than 24 hours and, upon request of the attorney general,
airlines must certify that they do not retain the image for more than 24 hours. An airline
facial recognition service must disclose and obtain consent from the customer prior to
capturing an image.
new text end
Sec. 10.
new text begin
[325O.09] LIMITATIONS AND APPLICABILITY.
new text end
new text begin
(a) The obligations imposed on controllers or processors under this chapter do not restrict
a controller's or processor's ability to:
new text end
new text begin
(1) comply with federal, state, or local laws, rules, or regulations;
new text end
new text begin
(2) comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or
summons by federal, state, local, or other governmental authorities
new text end
new text begin
(3) cooperate with law enforcement agencies concerning conduct or activity that the
controller or processor reasonably and in good faith believes may violate federal, state, or
local laws, rules, or regulations;
new text end
new text begin
(4) investigate, establish, exercise, prepare for, or defend legal claims;
new text end
new text begin
(5) provide a product or service specifically requested by a consumer, perform a contract
to which the consumer is a party, or take steps at the request of the consumer prior to entering
into a contract;
new text end
new text begin
(6) take immediate steps to protect an interest that is essential for the life of the consumer
or of another natural person, and where the processing cannot be manifestly based on another
legal basis;
new text end
new text begin
(7) prevent, detect, protect against, or respond to security incidents, identity theft, fraud,
harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity
or security of systems; or investigate, report, or prosecute those responsible for any such
action;
new text end
new text begin
(8) engage in public or peer-reviewed scientific, historical, or statistical research in the
public interest that adheres to all other applicable ethics and privacy laws if the deletion of
the information is likely to render impossible or seriously impair the achievement of the
research and the consumer provided consent; or
new text end
new text begin
(9) assist another controller, processor, or third party with any of the obligations under
this paragraph.
new text end
new text begin
(b) The obligations imposed on controllers or processors under this chapter do not restrict
a controller's or processor's ability to collect, use, or retain data to:
new text end
new text begin
(1) conduct internal research solely to improve or repair products, services, or technology;
new text end
new text begin
(2) identify and repair technical errors that impair existing or intended functionality; or
new text end
new text begin
(3) perform solely internal operations that are reasonably aligned with the expectations
of the consumer based on the consumer's existing relationship with the controller, or are
otherwise compatible with processing in furtherance of the provision of a product or service
specifically requested by a consumer or the performance of a contract to which the consumer
is a party.
new text end
new text begin
(c) The obligations imposed on controllers or processors under this chapter do not apply
where compliance by the controller or processor with this chapter would violate an
evidentiary privilege under Minnesota law and do not prevent a controller or processor from
providing personal data concerning a consumer to a person covered by an evidentiary
privilege under Minnesota law as part of a privileged communication.
new text end
new text begin
(d) A controller or processor that discloses personal data to a third-party controller or
processor in compliance with the requirements of this chapter is not in violation of this
chapter if the recipient processes such personal data in violation of this chapter, provided
that, at the time of disclosing the personal data, the disclosing controller or processor did
not have actual knowledge that the recipient intended to commit a violation. A third-party
controller or processor receiving personal data from a controller or processor in compliance
with the requirements of this chapter is likewise not in violation of this chapter for the
obligations of the controller or processor from which it receives such personal data.
new text end
new text begin
(e) Obligations imposed on controllers and processors under this chapter shall not:
new text end
new text begin
(1) adversely affect the rights or freedoms of any persons, such as exercising the right
of free speech pursuant to the First Amendment of the United States Constitution; or
new text end
new text begin
(2) apply to the processing of personal data by a natural person in the course of a purely
personal or household activity.
new text end
new text begin
(f) Personal data that are processed by a controller pursuant to this section must not be
processed for any purpose other than those expressly listed in this section. Personal data
that are processed by a controller pursuant to this section may be processed solely to the
extent that such processing is:
new text end
new text begin
(1) necessary, reasonable, and proportionate to the purposes listed in this section; and
new text end
new text begin
(2) adequate, relevant, and limited to what is necessary in relation to the specific purpose
or purposes listed in this section.
new text end
new text begin
(g) Personal data that are collected, used, or retained pursuant to paragraph (b) must,
insofar as possible, taking into account the nature and purpose of such collection, use, or
retention, be subjected to reasonable administrative, technical, and physical measures to
protect the confidentiality, integrity, and accessibility of the personal data, and to reduce
reasonably foreseeable risks of harm to consumers relating to such collection, use, or retention
of personal data.
new text end
new text begin
(h) If a controller processes personal data pursuant to an exemption in this section, the
controller bears the burden of demonstrating that such processing qualifies for the exemption
and complies with the requirements in paragraph (f).
new text end
new text begin
(i) Processing personal data solely for the purposes expressly identified in paragraph
(a), clauses (1) to (4) or (7), does not, by itself, make an entity a controller with respect to
such processing.
new text end
Sec. 11.
new text begin
[325O.095] LIABILITY; ENFORCEMENT.
new text end
new text begin Subdivision 1. new text end
new text begin Liability. new text end
new text begin
(a) Any violation of this chapter shall not serve as the basis
for, or be subject to, a private right of action under this chapter or under any other law. This
does not relieve any party from any duties or obligations imposed, or to alter any independent
rights that consumers have under other Minnesota laws, the Minnesota Constitution, or the
United States Constitution.
new text end
new text begin
(b) The provisions of sections 604.01 and 604.02 apply to any action for damages under
this chapter.
new text end
new text begin Subd. 2. new text end
new text begin Attorney General enforcement. new text end
new text begin
(a) The attorney general may bring an action
to enforce a provision of this chapter in accordance with section 8.31. If the state prevails
in an action to enforce this chapter, the state may, in addition to penalties provided by
paragraph (b) or other remedies provided by law, be allowed an amount determined by the
court to be the reasonable value of all or part of the state's litigation expenses incurred.
new text end
new text begin
(b) Any controller or processor that violates this chapter is subject to an injunction and
liable for a civil penalty of not more than $7,500 for each violation.
new text end
Sec. 12.
new text begin
[325O.097] PREEMPTION OF LOCAL LAW.
new text end
new text begin
This chapter supersedes and preempts laws, ordinances, regulations, or the equivalent
adopted by any local government regarding the processing of personal data by controllers
or processors.
new text end
Sec. 13. new text begin REPORT REQUIRED.
new text end
new text begin
(a) The attorney general shall compile a report evaluating the liability and enforcement
provisions of this act including but not limited to the effectiveness of the attorney general's
efforts to enforce this act, and any recommendations for legislative changes.
new text end
new text begin
(b) By July 1, 2022, the attorney general shall submit the report to the chairs and ranking
minority members of the legislative committees with jurisdiction over commerce. The report
must be submitted in compliance with sections 3.195 and 3.197.
new text end
Sec. 14. new text begin EFFECTIVE DATE.
new text end
new text begin
This act is effective July 31, 2021, except that postsecondary institutions regulated by
the Office of Higher Education and nonprofit corporations governed by Minnesota Statutes,
chapter 317A, are not required to comply with this act until July 31, 2024.
new text end