Minnesota Proposes its Own Version of CCPA

CCPAData PrivacyData ProtectionGDPRPrivacyState LawsUS Regulatory
Written By Jason Shoup

Ever since the California Consumer Privacy Act (CCPA) set the tone for state-level privacy laws, more and more states have followed suit. At the start of the year, Minnesota proposed its own data privacy bill–and yes, it’s heavily influenced by CCPA.

The bill, known as HF-36,has been sent for referral to the Committee on Commerce, Finance, and Policy. If passed, it will take effect on June 30, 2022. Here’s what you need to know ahead of time.

Scope

To say HF 36 follows CCPA’s lead would be an understatement. While the bills are not identical, the standards for applicability are similar. HF 36 would apply to businesses that:

  • Make over $25 million in annual gross revenue;

  • Buy or sell personal information of at least 50,000 consumers, households or devices, annually;

  • Earns 50 percent or more of its revenue by selling personal information;

Subsidiaries are not off the hook. Any company controlled by an organization that meets the criteria will also be subject to the regulations, with “controlled” describing any situation where an organization owns more than 50 percent of a company or holds the power to influence management and elect directors. Additionally, separate organizations with common branding, such as a shared name or trademark, are subject to the same regulations.

Personal information is defined broadly. Any information that describes, relates or could be linked to a consumer meets the standard. Of course, that includes identifiers, but may also mean financial, professional, biometric, health, commercial, physical or online browsing data.

Consumer Rights

Three of the baseline consumer rights are included in HF 36: the right to access, the right to delete, and the right to opt-out of sale.

At any time, consumers can request access to personal information collected from them, as well as the source of the information, the purpose of collecting it, and any service providers it has been disclosed to or third-parties it has been sold to. Organizations have 45 days to fulfill these requests.

Some variation of the right to data portability is included in the right to access; personal information provided to consumers must be in a readable format that they can transfer to another entity.

Deletion requests work in a similar way. Upon receiving a deletion request, organizations must delete the data from their records and instruct any service providers that hold the data to do the same.

Some exemptions apply. Organizations need not comply with deletion requests if the relevant data is necessary for the sake of their obligation to the consumer. Other exemptions include when the deletion will seriously hinder an organization’s ability to detect security incidents, engage in public or peer-reviewed research, repair functionality errors, or comply with any other legal obligation.

If consumers exercise their right to “opt-out,” organizations may not sell their data. This applies for onward transfers as well. Third-parties may not resell data without giving explicit notice to the subject, and giving them the chance to opt-out.

Minors, however, must “opt-in” for organizations to sell their data. Children between 13 and 16 must affirmatively authorize the sale themselves. For those under 13, authorization must come from the parent or guardian.

Organizations must offer consumers at least two methods for submitting access, delete or opt-out requests, such as a toll-free telephone number or a “clear and conspicuous” link on the organization’s home page. Consumers may not be charged or required to make an account for these requests, but businesses may require identity authentication.

Data controllers may not penalize consumers for exercising their rights. That means they can’t deny goods, provide lower quality services, or charge a higher price for services, unless “the difference is reasonably related to the value provided to the business by sale of the consumer’s data.” This includes offering discounts to customers for not exercising their rights.

Transparency Obligations

The bill includes a notice-upon-collection requirement, which must include:

  • The categories of data collected;

  • How the business collected the data;

  • The purpose of collection, business or commercial;

  • The categories of any third-parties to which the data is disclosed, including the purpose of disclosure;

  • The consumer’s right to access or delete personal data;

In order to sell personal information, organizations must provide a notice-upon-sale detailing the categories of data sold, the categories of the third-parties they are sold to and the purpose for sale. This notice must also inform the consumer of their opt-out rights.

Organizations may not go beyond any of the purposes, categories, and third-parties listed in the initial notice without providing an additional notice to the consumer. Service providers that receive personal data from an organization may not retain, disclose, use, or sell it for purposes beyond their contractual or legal obligations.

Enforcement

Violations would be enforced through the Attorney General in which cases, violators may have to pay penalties and cover the state’s litigation costs.

The bill includes a private right to action. If successful, individuals are entitled to their actual damages or punitive damages between $100 or $750 per violation–whichever is greater.

Organizations must also cover investigation and attorney fees, and may be required to pay up to three times as much for “willful and malicious” violations.

Jason Shoup
Previous

EU Releases Draft Decision on UK Data Privacy Standards
Next

Virginia Set to Enact Major Data Privacy Legislation