A bill for an act
relating to consumer data privacy; giving various rights to consumers regarding
personal data; placing obligations on certain businesses regarding consumer data;
providing for enforcement by the attorney general; proposing coding for new law
in Minnesota Statutes, chapter 13; proposing coding for new law as Minnesota
Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
new text begin
The sections referred to in this section are codified outside this
chapter. Those sections classify attorney general data as other than public, place restrictions
on access to government data, or involve data sharing.
new text end
new text begin
A data privacy and protection
assessment collected or maintained by the attorney general is classified under section
325O.08.
new text end
new text begin
This chapter may be cited as the "Minnesota Consumer Data Privacy Act."
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with, that other legal entity. For these purposes, "control" or "controlled" means:
ownership of, or the power to vote, more than 50 percent of the outstanding shares of any
class of voting security of a company; control in any manner over the election of a majority
of the directors or of individuals exercising similar functions; or the power to exercise a
controlling influence over the management of a company.
new text end
new text begin
(c) "Authenticate" means to use reasonable means to determine that a request to exercise
any of the rights in section 325O.05, subdivision 1, paragraphs (b) to (e), is being made by
the consumer who is entitled to exercise such rights with respect to the personal data at
issue.
new text end
new text begin
(d) "Biometric data" means data generated by automatic measurements of an individual's
biological characteristics, including a face, fingerprint, a voiceprint, eye retinas, irises, or
other unique biological patterns or characteristics that are used to identify a specific
individual. Biometric data does not include:
new text end
new text begin
(1) a digital or physical photograph;
new text end
new text begin
(2) an audio or video recording; or
new text end
new text begin
(3) any data generated from a digital or physical photograph, or an audio or video
recording, unless such data is generated to identify a specific individual.
new text end
new text begin
(e) "Child" has the meaning given in United States Code, title 15, section 6501.
new text end
new text begin
(f) "Consent" means any freely given, specific, informed, and unambiguous indication
of the consumer's wishes by which the consumer signifies agreement to the processing of
personal data relating to the consumer for a narrowly defined particular purpose. Acceptance
of a general or broad terms of use or similar document that contains descriptions of personal
data processing along with other, unrelated information does not constitute consent. Hovering
over, muting, pausing, or closing a given piece of content does not constitute consent.
Likewise, consent cannot be obtained through a user interface designed or manipulated with
the substantial effect of subverting or impairing user autonomy, decision making, or choice.
A consumer may revoke consent previously given, consistent with this chapter.
new text end
new text begin
(g) "Consumer" means a natural person who is a Minnesota resident acting only in an
individual or household context. It does not include a natural person acting in a commercial
or employment context.
new text end
new text begin
(h) "Controller" means the natural or legal person which, alone or jointly with others,
determines the purposes and means of the processing of personal data.
new text end
new text begin
(i) "Decisions that produce legal effects concerning a consumer or similarly significant
effects concerning a consumer" means decisions that result in the provision or denial of
financial and lending services, housing, insurance, education enrollment, criminal justice,
employment opportunities, health care services, or access to basic necessities, such as food
and water.
new text end
new text begin
(j) "Deidentified data" means data that cannot reasonably be used to infer information
about, or otherwise be linked to, an identified or identifiable natural person, or a device
linked to such person, provided that the controller that possesses the data:
new text end
new text begin
(1) takes reasonable measures to ensure that the data cannot be associated with a natural
person;
new text end
new text begin
(2) publicly commits to maintain and use the data only in a deidentified fashion and not
attempt to reidentify the data; and
new text end
new text begin
(3) contractually obligates any recipients of the information to comply with all provisions
of this paragraph.
new text end
new text begin
(k) "Delete" means to remove or destroy information such that it is not maintained in
human- or machine-readable form and cannot be retrieved or utilized in the course of
business.
new text end
new text begin
(l) "Genetic information" has the meaning given in section 13.386, subdivision 1.
new text end
new text begin
(m) "Identified or identifiable natural person" means a person who can be readily
identified, directly or indirectly.
new text end
new text begin
(n) "Known child" means a person under circumstances where a controller has actual
knowledge of, or willfully disregards, that the person is under 18 years of age.
new text end
new text begin
(o) "Personal data" means any information that is linked or reasonably linkable to an
identified or identifiable natural person. Personal data does not include deidentified data or
publicly available information. For purposes of this paragraph, "publicly available
information" means information that (1) is lawfully made available from federal, state, or
local government records or widely distributed media, and (2) a controller has a reasonable
basis to believe a consumer has lawfully made available to the general public.
new text end
new text begin
(p) "Process" or "processing" means any operation or set of operations that are performed
on personal data or on sets of personal data, whether or not by automated means, such as
the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
new text end
new text begin
(q) "Processor" means a natural or legal person who processes personal data on behalf
of a controller.
new text end
new text begin
(r) "Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects concerning an identified or identifiable natural person's
economic situation, health, personal preferences, interests, reliability, behavior, location,
or movements.
new text end
new text begin
(s) "Pseudonymous data" means personal data that cannot be attributed to a specific
natural person without the use of additional information, provided that such additional
information is kept separately and is subject to appropriate technical and organizational
measures to ensure that the personal data are not attributed to an identified or identifiable
natural person.
new text end
new text begin
(t) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other
valuable consideration by the controller to a third party. Sale does not include the following:
new text end
new text b