Minnesota Considers Adopting a CCPA-Inspired Consumer Data Privacy Bill

February 2, 2021
Hinshaw Privacy & Cyber Bytes

Minnesota is the latest in a series of states to follow California's lead in proposing new legislation aimed at enhancing consumer data privacy. The bill, HF 36 would expand consumer rights over personal information, create a private right of action for any person injured by a violation, and impose specific transparency obligations on businesses collecting and disclosing personal information. The legislation largely aligns with the California Consumer Privacy Act (CCPA), with notable differences including an expanded scope of private right of action. If passed, the law will be contained in Minnesota Statutes, chapter 3250.

Applicability

Like the CCPA, the Minnesota law would apply to any entity:

Alternatively, an entity would also be subject to the law if controlled by a separate business that meets the aforementioned criteria, or if sharing common branding with that separate entity.

Personal information is broadly defined in the bill as any information that describes, relates, or could be reasonably linked to a consumer (defined as a "natural person"), including identifying, financial, professional, health, and biometric information.

Transparency Requirements

Businesses collecting and disclosing personal information would be subject to several transparency obligations. First, a business would be required to notify consumers about:

Second, the use of information would be limited to the specified purpose. Consumers would also be granted a broad right to opt out of the sale of their personal information and would have to be notified if information were to be sold to any third party.

Finally, consumers would have to be provided with at least two designated methods for requesting the access or erasure of their information, such as a toll-free telephone number and a link on the business website. If requested, a business would be required to delete all information from their records and direct any service provider to do the same.

There are exceptions under which retention would be permitted despite a request—for example, if required to complete the transaction for which the personal information was collected, to protect against fraudulent or illegal activity or prosecute those responsible, to enable internal use of the information in a manner consistent with the context in which the consumer provided the information, to comply with a legal obligation, among others.

Businesses would be explicitly prohibited from discriminating against a consumer who exercise any of their rights under the proposed law.

Exclusions

There are several "exclusions" that expressly do not constitute the sale of personal information. For example:

However, if the third party materially alters the use of personal information, the third party must provide the consumer with notice of the new practices.

Enforcement

The attorney general would be granted enforcement power, but the law would also provide a private right of action for any injured individual. Statutory damages would range from $100 to $750 per consumer. A business that complies with all requirements will generally not be liable for any subsequent violations by a service provider or third party, provided it did not have actual knowledge of the violation.

As drafted, the proposed law is intended to take effect June 30, 2022. The bill was introduced January 7, 2021 and has been referred to the Committee on Commerce Finance and Policy.