Minnesota Privacy Act Unveiled

On Monday, September 27, the Minnesota legislators held a preliminary hearing on the Minnesota Consumer Data Privacy Act” (HF1492). With Colorado and Virginia passing their own privacy bills this year and numerous other states considering their own, Rep. Steve Elkins (DFL-Bloomington) says he introduced the bill to, “create a common framework of as many states as possible…to make sure businesses don’t end up with a 50-state hodgepodge.”

The legislation applies to business entities in Minnesota that either control or process data of 100,000 consumers or derive 25 percent of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers. At the hearing, Rep. Barb Haley, a Republican, said she would not support committee work on the bill until they receive data on the number of Minnesota businesses that would be affected. Lawmakers will have to balance consumer protections with business considerations.

In a statement to the Committee, Tyler Diers, Executive Director of TechNet Midwest warned that compliance costs mean that, “smaller competitors will struggle to implement a patchwork of regulations and associated costs – potentially stifling innovation in Minnesota.” The bill affords consumers a number of familiar rights including the right to: access their data; correct inaccurate data; delete data; obtain a copy of their data; and opt-out of sale of data or processing of data for targeted advertisement. Consumers looking to exercise their rights must submit a request to data controllers, which will have 15 days to comply after receiving a request.

HF1492 aligns with privacy laws introduced at the state and federal levels through its focus on privacy policies. The law stipulates that a privacy notice must be, “reasonably accessible, clear, and meaningful,” including the type and purpose of data collected. The controller must obtain a consumer’s consent to process personal data for purposes that are “not reasonably necessary.” Controllers will be required to conduct and document data protection assessments if they are: processing data for purposes of targeted advertising, selling personal data, or processing sensitive data.

Enforcement for HF1492 lies with the attorney general, who must provide a warning letter and allow 30 days for the violation to be cured. After that, the attorney general may bring a civil action against the violator, and leverage fines of up to $7,500 per violation. Notably, the current language does not include a private right of action, a key sticking point that has doomed similar legislation in other states.

Although the Legislature does not reconvene until January, committee chair Rep. Zack Stephenson (DFL-Coon Rapids) said he “thought it was a good time to get some public feedback and some discussion going about this bill.” A companion bill, SF1408, awaits action in the Senate Commerce and Consumer Protection Finance and Policy Committee.