Section 1.

new text begin [13.6505] ATTORNEY GENERAL DATA CODED ELSEWHERE.
new text end

Sec. 2.

new text begin [325O.01] CITATION; CONSTRUCTION.
new text end

Sec. 3.

new text begin [325O.02] DEFINITIONS.
new text end

new text begin (a) For purposes of this chapter, the following terms have the meanings given.
new text end

new text begin (b) "Aggregate consumer information" means information that relates to a group or
category of consumers, from which individual consumer identities have been removed, that
is not linked or reasonably linkable to any consumer or household, including via a device.
Aggregate consumer information does not mean one or more individual consumer records
that have been deidentified.
new text end

new text begin (c) "Business" means:
new text end

new text begin (1) a sole proprietorship, partnership, limited liability company, corporation, association,
or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners that:
new text end

new text begin (i) collects consumers' personal information or on behalf of which that information is
collected;
new text end

new text begin (ii) alone, or jointly with others, determines the purposes and means of the processing
of consumers' personal information;
new text end

new text begin (iii) does business in Minnesota; and
new text end

new text begin (iv) satisfies one or more of the following thresholds:
new text end

new text begin (A) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered
year to reflect the Consumer Price Index;
new text end

new text begin (B) alone or in combination, annually buys, receives for the business's commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
information of 50,000 or more consumers, households, or devices; or
new text end

new text begin (C) derives 50 percent or more of its annual revenues from selling consumers' personal
information; and
new text end

new text begin (2) any entity that controls or is controlled by a business as defined in clause (1) and
that shares common branding with the business. For purposes of this clause, "control" or
"controlled" means ownership of, or the power to vote, more than 50 percent of the
outstanding shares of any class of voting security of a business; control in any manner over
the election of a majority of the directors, or of individuals exercising similar functions; or
the power to exercise a controlling influence over the management of a company. For
purposes of this clause, "common branding" means a shared name, servicemark, or trademark
that the average consumer would understand that two or more entities are commonly owned.
new text end

new text begin For purposes of this chapter, for a joint venture or partnership composed of businesses in
which each business has at least a 40 percent interest, the joint venture or partnership and
each business that composes the joint venture or partnership shall separately be considered
a single business, except that personal information in the possession of each business and
disclosed to the joint venture or partnership must not be shared with the other business.
new text end

new text begin (d) "Child" means a consumer who is under 18 years of age.
new text end

new text begin (e) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any
personal information pertaining to a consumer by any means. This includes receiving
information from the consumer, either actively or passively, or by observing the consumer's
behavior.
new text end

new text begin (f) "Consumer" means a natural person who is a Minnesota resident, however identified,
including by any unique identifier.
new text end

new text begin (g) "Dark pattern" means a user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision making, or choice.
new text end

new text begin (h) "Data protection impact assessment" means a systematic survey to assess and mitigate
risks to children who are reasonably likely to access the online service, product, or feature
that arise from the data management practices of the business.
new text end

new text begin (i) "Default" means a preselected option adopted by the business for the online service,
product, or feature.
new text end

new text begin (j) "Deidentified" means information that cannot reasonably be used to infer information
about, or otherwise be linked to, a particular consumer provided that the business that
possesses the information:
new text end

new text begin (1) takes reasonable measures to ensure that the information cannot be associated with
a consumer or household;
new text end

new text begin (2) publicly commits to maintain and use the information in deidentified form and not
to attempt to reidentify the information, except that the business may attempt to reidentify
the information solely for the purpose of determining whether its deidentification processes
satisfy the requirements of this paragraph; and
new text end

new text begin (3) contractually obligates any recipients of the information to maintain the data in
deidentified form in accordance with this definition.
new text end

new text begin (k) "Likely to be accessed by children" means an online service, product, or feature that
it is reasonable to expect would be accessed by children based on any of the following
indicators:
new text end

new text begin (1) the online service, product, or feature is directed to children, as defined by the
Children's Online Privacy Protection Act, United States Code, title 15, section 6501 et seq.;