Closely following in the footsteps of Washington and Virginia, on February 22, 2021, Minnesota House Representatives Steve Elkins and Mohamud Noor introduced House File 1492, more commonly known as the “Minnesota Consumer Data Privacy Act” (the “Act”). If passed, Minnesota will become the latest state to enact comprehensive legislation aimed to protect the collection, storage, use, and dissemination of consumer data.
Although the bill is in its infancy,
businesses will benefit from
understanding its scope and provisions.
Who Is Covered?
As proposed, the Act will apply to all businesses that operate in Minnesota or otherwise target its residents and meet one of two minimum data collection thresholds:
- during a calendar year, the business controls or processes the personal data of 100,000 consumers or more; or
- the business derives over 25 percent of its gross revenue from the sale of personal data and processes or controls the personal data of 25,000 or more customers.
This is narrower other acts, particularly the California Consumer Privacy Act, which set its minimum threshold at 50,000 consumers, while also applying to any business with gross annual revenue over $25 million, regardless of the amount of data it collects.
What Information Does It Protect?
The Act seeks to broadly protect the personal data of consumers. Consumers are defined as any Minnesota resident while acting as an individual. The Act does not apply to people acting in a commercial or employment context.
Personal data is any information that is linked or reasonably linkable to an identified or identifiable natural person. This includes information usually considered sensitive, such as social security number or financial account numbers, as well as more common information, including telephone numbers and e-mail addresses.
Are There Exclusions?
As proposed, the Act contains a blanket exclusion for government entities and federally recognized Indian tribes. It also excludes categories of information generally protected by other data privacy legislation and regulations, such as information related to health, human research subjects, patient safety, employment, consumer credit, and financial transactions and other data.
What Does the Act Require?
The Act will create two categories of responsible entities: controllers and processors. Controllers are businesses that determine what personal data is collected, the why that data is collected, and the manner in which the personal data is processes and stored. Processors are any entity that process personal data on behalf of a controller.
What Obligations do Controllers Have?
The Act will establish several responsibilities for controllers governing its collection and use of personal data as well as its transparency obligations to the public.
Use of Personal Data
The Act will seek to limit a controller’s ability to collect personal data to what is reasonably necessary, as disclosed to the consumer at the time of collection. The Act further prohibits controllers from using personal data for any reason other than those originally disclosed. If a controller wants to expand its use of personal data collected, it must first obtain the consumer’s consent.
For certain categories of sensitive data—including data related to a consumer’s racial or ethnic origin, religious beliefs, mental or physical health conditions or diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, geolocation data, or data related to a child—the Act prohibits its collection without the consumer’s consent.
The Act will further require controllers to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data. These measures must be appropriate in relation to the volume and nature of the personal data collected.
Controllers will also be responsible for providing consumers with a privacy notice that is clear, meaningful, and reasonably accessible. The notice must include:
- the categories of personal data being processed;
- the purposes for which the personal data is processed;
- the categories of personal data a controller share with third-parties, if any;
- the categories of third parties with whom the controller shares personal data; and
- how and where consumers may exercise their rights to view, correct, and delete personal data, as well as how a consumer can appeal a controller’s actions or inactions in response to a consumer’s request.
If a controller sell’s a consumer’s personal data or uses the data for targeted advertising, the controller must clearly and conspicuously disclose those processing activities along with information about how the consumer may opt-out of that activity.
Data Protection Assessment
Should a a controller process sensitive data, or when personal data is sold, used for targeted advertising or profiling, or creates a heightened risk to the consumer, the controller will also be required to conduct a data protection assessment. This assessment must identify and weigh the benefits from the processing of the information against the potential risks to the rights of the consumer caused by the data processing. This assessment and any associated data must be kept in a form such that it can be made available to the Minnesota Attorney General upon written request
What Obligations do Processors Have?
Processors will also have several duties under the Act. As proposed, processors must follow the instructions provided by controllers and engage appropriate technical and organizational measures to protect the information provided to them. They must also assist controllers in meeting their obligations to secure personal data and provide any required breach notifications. Furthermore, processors must help controllers conduct and document any required data protection assessment. Finally, processors must also ensure that each person processing personal data adheres to a duty of confidentiality and must implement suitable measures to ensure a level of security appropriate to the data’s risk.
Does the Act Create New Consumer Rights?
The Act seeks to create several new consumer rights, including the right to:
- confirm whether or not a controller is processing their personal data;
- access the categories of personal data the controller is processing;
- obtain personal data concerning the consumer in a portable and, if feasible, readily useable format;
- correct inaccurate personal data concerning the consumer;
- delete personal data concerning the consumer; and
- opt-out of the processing of personal data for purposes of targeted advertising, sale, or profiling.
Consumers may exercise these rights by submitting a request to the controller, specifying which rights he or she wishes to exercise. To facilitate this process, controllers must create one or more secure and reliable means for a consumer to exercise these rights.
Controllers must provide consumers notice of their receipt of a consumer request as well as any actions taken in response to that request. If a controller chooses not to act, it must provide the consumer notice of that decision along with instructions for how to appeal.
Who Will Enforce the Act?
The Act will grant the Attorney General broad authority to enforce its provisions. If a controller or processor is suspected of violating this chapter, the Attorney General must first provide a warning letter identifying the specific provisions allegedly violated. If, after 30 days, the Attorney General believes the controller or processor has failed to cure any alleged violation, he or she may bring a civil enforcement action. If the state prevails, in addition to an injunction and liability of up to $7,500 for each violation, the state may be allowed to recover reasonable litigation expenses incurred.
When Will The Act Go Into Effect?
As currently drafted, the Act will take effect on July 31, 2021. For postsecondary institutions, air carriers, and nonprofit corporations, the effective date is delayed until July 31, 2026.
|Key Takeaways to Help You Prepare
Although enforcement remains at least a year away, there are several things you can do now to better prepare:
- Review and understand your data collection activities.
- Ensure you are providing sufficient public notice of your data collection activities at or before the time of collection.
- Confirm your use of personal data is limited to those purposes disclosed in the collection notice. If not, consider updating your notice for future collection and determine if you need to secure additional consumer consent.
- Identify internal stakeholders responsible for data privacy compliance and create clear expectations and guidelines.
- Draft written policies that define your processes for data collection, organization, storage, and use.
- Review your third-party vendor contracts to ensure compliance with data privacy standards.
- Engage strategic partners to improve your organization’s cybersecurity and data privacy compliance.
Questions? We’re Here to Help
HAWS-KM’s attorneys continue to monitor emerging issues and if you have questions regarding cybersecurity and data privacy-law related topics, please contact the author or your HAWS-KM attorney at (651) 227-9411.