Minnesota is the latest in a series of states to follow California's lead in proposing new legislation aimed at enhancing consumer data privacy. The bill, HF 36 would expand consumer rights over personal information, create a private right of action for any person injured by a violation, and impose specific transparency obligations on businesses collecting and disclosing personal information. The legislation largely aligns with the California Consumer Privacy Act (CCPA), with notable differences including an expanded scope of private right of action. If passed, the law will be contained in Minnesota Statutes, chapter 3250.
Like the CCPA, the Minnesota law would apply to any entity:
- with annual gross revenues in excess of $25,000,000, or
- that annually buys or sells personal information of at least 50,0000 consumers, households or devices, or
- which derives 50% or more of its annual revenue from the sale of personal information.
Alternatively, an entity would also be subject to the law if controlled by a separate business that meets the aforementioned criteria, or if sharing common branding with that separate entity.
Personal information is broadly defined in the bill as any information that describes, relates, or could be reasonably linked to a consumer (defined as a "natural person"), including identifying, financial, professional, health, and biometric information.
Businesses collecting and disclosing personal information would be subject to several transparency obligations. First, a business would be required to notify consumers about:
- the categories of information to be collected,
- the sources from which the information would be collected,
- the purpose of collection,
- the categories of service providers to which information may be disclosed, and the purpose therefor, and
- the consumer's right to access and delete the information.
Second, the use of information would be limited to the specified purpose. Consumers would also be granted a broad right to opt out of the sale of their personal information and would have to be notified if information were to be sold to any third party.
Finally, consumers would have to be provided with at least two designated methods for requesting the access or erasure of their information, such as a toll-free telephone number and a link on the business website. If requested, a business would be required to delete all information from their records and direct any service provider to do the same.
There are exceptions under which retention would be permitted despite a request—for example, if required to complete the transaction for which the personal information was collected, to protect against fraudulent or illegal activity or prosecute those responsible, to enable internal use of the information in a manner consistent with the context in which the consumer provided the information, to comply with a legal obligation, among others.
Businesses would be explicitly prohibited from discriminating against a consumer who exercise any of their rights under the proposed law.
There are several "exclusions" that expressly do not constitute the sale of personal information. For example:
- if a consumer intentionally directs the disclosure or use of the information
- if the information is shared solely to inform a third party or service provider that the consumer has opted out of the sale of their information
- if the business discloses information necessary to perform the specified business purpose and proper consumer notice was provided, or
- if personal information is transferred when a third party assumes control of all or part of the business.
However, if the third party materially alters the use of personal information, the third party must provide the consumer with notice of the new practices.
The attorney general would be granted enforcement power, but the law would also provide a private right of action for any injured individual. Statutory damages would range from $100 to $750 per consumer. A business that complies with all requirements will generally not be liable for any subsequent violations by a service provider or third party, provided it did not have actual knowledge of the violation.
As drafted, the proposed law is intended to take effect June 30, 2022. The bill was introduced January 7, 2021 and has been referred to the Committee on Commerce Finance and Policy.