April 15, 2021 Articles

Consumer Data Privacy Act Introduced in Minnesota

If passed, Minnesota will become the latest state to enact comprehensive legislation aimed at protecting the collection, storage, use, and dissemination of consumer data.

By Michael S. Mather and Aidan Zielske
Data privacy legislation reaches Minnesota’s borders.

Data privacy legislation reaches Minnesota’s borders.

Pexels | Josh Hild

Closely following in the footsteps of Washington and Virginia, on February 22, 2021, Minnesota House Representatives Steve Elkins and Mohamud Noor introduced House File 1492, more commonly known as the “Minnesota Consumer Data Privacy Act.” If passed, Minnesota will become the latest state to enact comprehensive legislation aimed at protecting the collection, storage, use, and dissemination of consumer data. Although the bill is in its infancy, businesses will benefit from understanding its scope and provisions.

Coverage

As proposed, the act will apply to all businesses that operate in Minnesota or otherwise target its residents and meet one of two minimum data collection thresholds:

  1. during a calendar year, the business controls or processes the personal data of 100,000 consumers or more; or
  2. the business derives over 25 percent of its gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more customers.

This is narrower than other acts, particularly the California Consumer Privacy Act, which set its minimum threshold at 50,000 consumers while also applying to any business with gross annual revenue over $25 million, regardless of the amount of data it collects.

Protections

The act seeks to broadly protect the personal data of consumers. A consumer is any Minnesota resident acting as an individual. The act does not apply to people acting in a commercial or employment context.

Personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person. This includes information usually considered sensitive, such as Social Security numbers or financial account numbers, as well as more common information, including telephone numbers and email addresses.

Exclusions

As proposed, the act contains a blanket exclusion for government entities and federally recognized Indian tribes. It also excludes categories of information generally protected by other data privacy legislation and regulations, such as information related to health, human research subjects, patient safety, employment, consumer credit, and financial transactions and other data.

Responsible Entities

The act will create two categories of responsible entities: controllers and processors. Controllers are businesses that determine what personal data is collected, why that data is collected, and the manner in which the personal data is processed and stored. A processor is any entity that processes personal data on behalf of a controller.

Controller Obligation: Use of Personal Data

The act will seek to limit a controller’s ability to collect personal data to what is reasonably necessary, as disclosed to the consumer at the time of collection. The act further prohibits controllers from using personal data for any reason other than those originally disclosed. If a controller wants to expand its use of personal data collected, it must first obtain the consumer’s consent.

For certain categories of sensitive data—including data related to a consumer’s racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, geolocation data, or data related to a child—the act prohibits collection without the consumer’s consent.

The act will further require controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These measures must be appropriate in relation to the volume and nature of the personal data collected.

Controller Obligation: Transparency                   

Controllers will also be responsible for providing consumers with a privacy notice that is clear, meaningful, and reasonably accessible. The notice must include the following:

  1. the categories of personal data being processed;
  2. the purposes for which the personal data is processed;
  3. the categories of personal data that a controller shares with third parties, if any;
  4. the categories of third parties with whom the controller shares personal data; and
  5. how and where consumers may exercise their rights to view, correct, and delete personal data, as well as how a consumer can appeal a controller’s actions or inactions in response to a consumer’s request.

If a controller sells a consumer’s personal data or uses the data for targeted advertising, the controller must clearly and conspicuously disclose those processing activities along with information about how the consumer may opt out of that activity.

Controller Obligation: Data Protection Assessment

When a controller processes sensitive data or when personal data is sold, used for targeted advertising or profiling, or creates a heightened risk to the consumer, the controller will also be required to conduct a data protection assessment. This assessment must identify and weigh the benefits from the processing of the information against the potential risks to the rights of the consumer caused by the data processing. This assessment and any associated data must be kept in a form such that it can be made available to the Minnesota attorney general upon written request.

Processor Obligations

Processors will also have several duties under the act. As proposed, processors must follow the instructions provided by controllers and engage appropriate technical and organizational measures to protect the information provided to them. They must also assist controllers in meeting their obligations to secure personal data and provide any required breach notifications. Furthermore, processors must help controllers conduct and document any required data protection assessment. Finally, processors must also ensure that each person processing personal data adheres to a duty of confidentiality and must implement suitable measures to ensure a level of security appropriate to the data’s risk.

Creation of New Consumer Rights

The act seeks to create several new consumer rights, including the right of a consumer to

  • confirm whether or not a controller is processing the consumer’s personal data;
  • access the categories of personal data that the controller is processing;
  • obtain personal data concerning the consumer in a portable and, if feasible, readily usable format;
  • correct inaccurate personal data concerning the consumer;
  • delete personal data concerning the consumer; and
  • opt out of the processing of personal data for purposes of targeted advertising, sale, or profiling.

Consumers may exercise these rights by submitting a request to the controller, specifying which rights they wish to exercise. To facilitate this process, controllers must create one or more secure and reliable means for consumers to exercise these rights.

Controllers must provide consumers notice of their receipt of a consumer request as well as any actions taken in response to that request. If a controller chooses not to act, it must provide the consumer notice of that decision along with instructions for how to appeal.

Enforcement

The act will grant the attorney general broad authority to enforce its provisions. If a controller or processor is suspected of violating this chapter, the attorney general must first provide a warning letter identifying the specific provisions allegedly violated. If, after 30 days, the attorney general believes that the controller or processor has failed to cure any alleged violation, the attorney general may bring a civil enforcement action. If the state prevails, in addition to an injunction and liability of up to $7,500 for each violation, the state may be allowed to recover reasonable litigation expenses incurred.

Effective Date

As currently drafted, the act will take effect on July 31, 2021. For postsecondary institutions, air carriers, and nonprofit corporations, the effective date is delayed until July 31, 2026.

Key Takeaways to Help You Prepare

Although enforcement remains at least a year away, here are seven steps that you can take now to better prepare:

  1. Review and understand your data collection activities.
  2. Ensure that you are providing sufficient public notice of your data collection activities at or before the time of collection.
  3. Confirm that your use of personal data is limited to those purposes disclosed in the collection notice. If not, consider updating your notice for further collection and determine if you need to secure additional consumer consent.
  4. Identify internal stakeholders responsible for data privacy compliance, and create clear expectations and guidelines.
  5. Draft written policies that define your processes for data collection, organization, storage, and use.
  6. Review your third-party vendor contracts to ensure compliance with data privacy standards.
  7. Engage strategic partners to improve your organization’s cybersecurity and data privacy compliance.

Michael S. Mather is a shareholder at HKM, P.A. in St. Paul, Minnesota. Aidan Zielske is a law student at the University of Minnesota (J.D. expected May 2021).


Copyright © 2021, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Litigation Section, this committee, or the employer(s) of the author(s).