Minnesota Legislature
HF 2257
2nd Engrossment - 93rd Legislature (2023 - 2024) Posted on 04/18/2024 03:37pm
Current Version - 2nd Engrossment
1.8 1.9 1.10 1.11 1.12 1.13 1.14
1.15 1.16 1.17 1.18 1.19 1.20 1.21 2.1 2.2 2.3
2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 6.1 6.2 6.3 6.4
6.5 6.6 6.7 6.8
6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13
7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32 8.33 8.34 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30 9.31 9.32 9.33 9.34 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 11.1 11.2 11.3 11.4 11.5 11.6 11.7 11.8 11.9 11.10 11.11 11.12
11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21 11.22 11.23 11.24 11.25 11.26 11.27 11.28 11.29 11.30 11.31 11.32 12.1 12.2 12.3 12.4
12.5 12.6 12.7 12.8 12.9 12.10 12.11 12.12 12.13
12.14 12.15 12.16 12.17 12.18 12.19 12.20 12.21 12.22 12.23
A bill for an act
relating to consumer data privacy; creating the Minnesota Age-Appropriate Design
Code Act; placing obligations on certain businesses regarding children's consumer
information; providing for enforcement by the attorney general; proposing coding
for new law in Minnesota Statutes, chapter 13; proposing coding for new law as
Minnesota Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
new text begin
[13.6505] ATTORNEY GENERAL DATA CODED ELSEWHERE.
new text end
new text begin Subdivision 1. new text end
new text begin Scope. new text end
new text begin
The sections referred to in this section are codified outside this
chapter. Those sections classify attorney general data as other than public, place restrictions
on access to government data, or involve data sharing.
new text end
new text begin Subd. 2. new text end
new text begin Data protection impact assessments. new text end
new text begin
A data protection impact assessment
collected or maintained by the attorney general under section 325O.04, is classified under
subdivision 3 of that section.
new text end
Sec. 2.
new text begin
[325O.01] CITATION; CONSTRUCTION.
new text end
new text begin Subdivision 1. new text end
new text begin Citation. new text end
new text begin
This chapter may be cited as the "Minnesota Age-Appropriate
Design Code Act."
new text end
new text begin Subd. 2. new text end
new text begin Construction. new text end
new text begin
(a) A business that develops and provides online services,
products, or features that children are reasonably likely to access must consider the best
interests of children when designing, developing, and providing that online service, product,
or feature.
new text end
new text begin
(b) If a conflict arises between commercial interests of a business and the best interests
of children likely to access an online product, service, or feature, the business must prioritize
the privacy, safety, and well-being of children over its commercial interests.
new text end
Sec. 3.
new text begin
[325O.02] DEFINITIONS.
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with, that other legal entity. For these purposes, "control" or "controlled" means:
ownership of, or the power to vote, more than 50 percent of the outstanding shares of any
class of voting security of a company; control in any manner over the election of a majority
of the directors or of individuals exercising similar functions; or the power to exercise a
controlling influence over the management of a company.
new text end
new text begin
(c) "Age-appropriate" means a recognition of the distinct needs and diversities of children
at different age ranges. In order to help support the design of online services, products, and
features, a business should take into account the unique needs and diversities of different
age ranges, including the following developmental stages: zero to five years of age or
"preliterate and early literacy"; six to nine years of age or "core primary school years"; ten
to 12 years of age or "transition years"; 13 to 15 years of age or "early teens"; and 16 to 17
years of age or "approaching adulthood."
new text end
new text begin
(d) "Best interests of children" means the use, by a business, of the personal data of a
child or the design of an online service, product, or feature in a way that:
new text end
new text begin
(1) will not benefit the business to the detriment of the child; and
new text end
new text begin
(2) will not result in:
new text end
new text begin
(i) reasonably foreseeable and material physical or financial harm to the child;
new text end
new text begin
(ii) reasonably foreseeable and severe psychological or emotional harm to the child;
new text end
new text begin
(iii) a highly offensive intrusion on the reasonable privacy expectations of the child; or
new text end
new text begin
(iv) discrimination against the child based upon race, color, religion, national origin,
disability, sex, or sexual orientation.
new text end
new text begin
(e) "Business" means:
new text end
new text begin
(1) a sole proprietorship, partnership, limited liability company, corporation, association,
or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners; and
new text end
new text begin
(2) an affiliate of a business that shares common branding with the business. For purposes
of this clause, "common branding" means a shared name, servicemark, or trademark that
the average consumer would understand that two or more entities are commonly owned.
new text end
new text begin
For purposes of this chapter, for a joint venture or partnership composed of businesses in
which each business has at least a 40 percent interest, the joint venture or partnership and
each business that composes the joint venture or partnership shall separately be considered
a single business, except that personal data in the possession of each business and disclosed
to the joint venture or partnership must not be shared with the other business.
new text end
new text begin
(f) "Child" means a consumer who is under 18 years of age.
new text end
new text begin
(g) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any
personal data pertaining to a consumer by any means. This includes receiving data from the
consumer, either actively or passively, or by observing the consumer's behavior.
new text end
new text begin
(h) "Consumer" means a natural person who is a Minnesota resident, however identified,
including by any unique identifier.
new text end
new text begin
(i) "Dark pattern" means a user interface designed or manipulated with the purpose of
subverting or impairing user autonomy, decision making, or choice.
new text end
new text begin
(j) "Data protection impact assessment" means a systematic survey to assess compliance
with the duty to act in the best interests of children and shall include a plan to ensure that
all online products, services, or features provided by the business are designed and offered
in a manner consistent with the best interests of children reasonably likely to access the
online service, product, or feature. Such a plan shall include a description of steps the
business has taken and will take to comply with the duty to act in the best interests of
children.
new text end
new text begin
(k) "Default" means a preselected option adopted by the business for the online service,
product, or feature.
new text end
new text begin
(l) "Deidentified" means data that cannot reasonably be used to infer information about,
or otherwise be linked to, an identified or identifiable natural person, or a device linked to
such person, provided that the business that possesses the data:
new text end
new text begin
(1) takes reasonable measures to ensure that the data cannot be associated with a natural
person;
new text end
new text begin
(2) publicly commits to maintain and use the data only in a deidentified fashion and not
attempt to reidentify the data; and
new text end
new text begin
(3) contractually obligates any recipients of the data to comply with all provisions of
this paragraph.
new text end
new text begin
(m) "Derived data" means assumptions, correlations, inferences, predictions, or
conclusions based on data about a child or a child's device.
new text end
new text begin
(n) "Online service, product, or feature" does not mean any of the following:
new text end
new text begin
(1) telecommunications service, as defined in United States Code, title 47, section 153;
new text end
new text begin
(2) a broadband service as defined by section 116J.39, subdivision 1; or
new text end
new text begin
(3) the delivery, sale, or use of a physical product.
new text end
new text begin
(o) "Personal data" means any information, including derived data, that is linked or
reasonably linkable, alone or in combination with other information, to an identified or
identifiable natural person. Personal data does not include deidentified data or publicly
available information. For purposes of this paragraph, "publicly available information"
means information that (1) is lawfully made available from federal, state, or local government
records or widely distributed media, and (2) a controller has a reasonable basis to believe
a consumer has lawfully made available to the general public.
new text end
new text begin
(p) "Precise geolocation" means any data that is derived from a device and that is used
or intended to be used to locate a consumer within a geographic area that is equal to or less
than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
new text end
new text begin
(q) "Process" or "processing" means to conduct or direct any operation or set of operations
that are performed on personal data or on sets of personal data, whether or not by automated
means, such as the collection, use, storage, disclosure, analysis, deletion, modification, or
otherwise handling of personal data.
new text end
new text begin
(r) "Product experimentation results" means the data that a business collects to understand
the experimental impact of its products.
new text end
new text begin
(s) "Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects concerning an identified or identifiable natural person's
economic situation, health, personal preferences, interests, reliability, behavior, location,
or movements.
new text end
new text begin
(t) "Reasonably likely to be accessed by children" means an online service, product, or
feature that it is reasonable to expect would be accessed by children based on any of the
following indicators:
new text end
new text begin
(1) the online service, product, or feature is directed to children, as defined by the
Children's Online Privacy Protection Act, United States Code, title 15, section 6501 et seq.,
and the Federal Trade Commission rules implementing that act;
new text end
new text begin
(2) the online service, product, or feature is determined, based on competent and reliable
evidence regarding audience composition, to be routinely accessed by a significant number
of children;
new text end
new text begin
(3) the online service, product, or feature contains advertisements marketed to children;
new text end
new text begin
(4) the online service, product, or feature is substantially similar or the same as an online
service, product, or feature subject to clause (2);
new text end
new text begin
(5) a significant amount of the audience of the online service, product, or feature is
determined, based on internal company research, to be children; or
new text end
new text begin
(6) that the business knew or should have known that a significant number of users are
children, provided that, in making this assessment, the business shall not collect or process
any personal data that is not reasonably necessary to provide an online service, product, or
feature with which a child is actively and knowingly engaged.
new text end
new text begin
(u) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other
valuable consideration by a business to a third party. Sale does not include the following:
new text end
new text begin
(1) the disclosure of personal data to a third party who processes the personal data on
behalf of the business;
new text end
new text begin
(2) the disclosure of personal data to a third party with whom the consumer has a direct
relationship for purposes of providing a product or service requested by the consumer;
new text end
new text begin
(3) the disclosure or transfer of personal data to an affiliate of the business;
new text end
new text begin
(4) the disclosure of data that the consumer intentionally made available to the general
public via a channel of mass media and did not restrict to a specific audience; or
new text end
new text begin
(5) the disclosure or transfer of personal data to a third party as an asset that is part of a
completed or proposed merger, acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the business's assets.
new text end
new text begin
(v) "Share" means sharing, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means
a consumer's personal data by the business to a third party for cross-context behavioral
advertising, whether or not for monetary or other valuable consideration, including
transactions between a business and a third party for cross-context behavioral advertising
for the benefit of a business in which no money is exchanged.
new text end
new text begin
(w) "Third party" means a natural or legal person, public authority, agency, or body
other than the consumer or the business.
new text end
Sec. 4.
new text begin
[325O.025] INFORMATION FIDUCIARY.
new text end
new text begin
Notwithstanding section 325O.03, any business that operates in the state of Minnesota
and processes children's data in any capacity must do so in a manner consistent with the
best interests of children.
new text end
Sec. 5.
new text begin
[325O.03] SCOPE; EXCLUSIONS.
new text end
new text begin
(a) A business is subject to this chapter if it:
new text end
new text begin
(1) collects consumers' personal data or has consumers' personal data collected on its
behalf by a third party;
new text end
new text begin
(2) alone or jointly with others, determines the purposes and means of the processing
of consumers' personal data;
new text end
new text begin
(3) does business in Minnesota; and
new text end
new text begin
(4) satisfies one or more of the following thresholds:
new text end
new text begin
(i) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered
year to reflect the Consumer Price Index;
new text end
new text begin
(ii) alone or in combination, annually buys, receives for the business's commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
data of 50,000 or more consumers, households, or devices; or
new text end
new text begin
(iii) derives 50 percent or more of its annual revenues from selling consumers' personal
data.
new text end
new text begin
(b) This chapter does not apply to:
new text end
new text begin
(1) protected health information that is collected by a covered entity or business associate
governed by the privacy, security, and breach notification rules issued by the United States
Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160
and 164, established pursuant to the Health Insurance Portability and Accountability Act
of 1996, Public Law 104-191, and the Health Information Technology for Economic and
Clinical Health Act, Public Law 111-5;
new text end
new text begin
(2) a covered entity governed by the privacy, security, and breach notification rules
issued by the United States Department of Health and Human Services, Code of Federal
Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, to the extent the provider
or covered entity maintains patient information in the same manner as medical information
or protected health information as described in clause (1);
new text end
new text begin
(3) information collected as part of a clinical trial subject to the federal policy for the
protection of human subjects, also known as the common rule, pursuant to good clinical
practice guidelines issued by the International Council for Harmonisation or pursuant to
human subject protection requirements of the United States Food and Drug Administration;
or
new text end
new text begin
(4) a business whose principal business is the origination of journalism, and has a
significant portion of its workforce consisting of professional journalists.
new text end
Sec. 6.
new text begin
[325O.04] BUSINESS OBLIGATIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Requirements for businesses. new text end
new text begin
(a) A business subject to this chapter
must:
new text end
new text begin
(1) complete a data protection impact assessment for any new online service, product,
or feature that is reasonably likely to be to accessed by children, and maintain documentation
of the data protection impact assessment as long as the online service, product, or feature
is reasonably likely to be accessed by children;
new text end
new text begin
(2) review and modify all data protection impact assessments as necessary to account
for material changes to processing pertaining to the online service, product, or feature;
new text end
new text begin
(3) within five business days of a written request by the attorney general, provide to the
attorney general a list of all data protection impact assessments the business has completed;
new text end
new text begin
(4) within seven business days of a written request by the attorney general or by a date
otherwise specified by the attorney general, provide the attorney general with a copy of any
data protection impact assessment;
new text end
new text begin
(5) configure all default privacy settings provided to children by the online service,
product, or feature to settings that offer a high level of privacy, unless the business can
demonstrate a compelling reason that a different setting is in the best interests of children;
new text end
new text begin
(6) provide any privacy information, terms of service, policies, and community standards
concisely, prominently, and using clear language suited to the age of children reasonably
likely to access that online service, product, or feature; and
new text end
new text begin
(7) provide prominent, accessible, and responsive tools to help children, or if applicable
their parents or guardians, exercise their privacy rights and report concerns.
new text end
new text begin
(b) A data protection impact assessment required by this section must identify the purpose
of the online service, product, or feature; explain how it uses children's personal data; and
determine whether the online service, product, or feature that is reasonably likely to accessed
by children is designed and offered in an age-appropriate manner consistent with the best
interests of children. A data protection impact assessment must assess each of the following
factors:
new text end
new text begin
(1) whether algorithms used by the service, product, or feature would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation;
new text end
new text begin
(2) whether the design of the online service, product, or feature could lead to children
experiencing or being targeted by contacts on the online service, product, or feature that
would result in reasonably foreseeable and material physical or financial harm to the child;
reasonably foreseeable and extreme psychological or emotional harm to the child; a highly
offensive intrusion on the reasonable privacy expectations of the child; or discrimination
against the child based upon race, color, religion, national origin, disability, sex, or sexual
orientation;
new text end
new text begin
(3) whether the design of the online service, product, or feature could permit children
to witness, participate in, or be subject to conduct on the online service, product, or feature
that would result in reasonably foreseeable and material physical or financial harm to the
child; reasonably foreseeable and extreme psychological or emotional harm to the child; a
highly offensive intrusion on the reasonable privacy expectations of the child; or
discrimination against the child based upon race, color, religion, national origin, disability,
sex, or sexual orientation;
new text end
new text begin
(4) whether the design of the online service, product, or feature is reasonably expected
to allow children to be party to or exploited by a contact on the online service, product, or
feature that would result in reasonably foreseeable and material physical or financial harm
to the child; reasonably foreseeable and extreme psychological or emotional harm to the
child; a highly offensive intrusion on the reasonable privacy expectations of the child; or
discrimination against the child based upon race, color, religion, national origin, disability,
sex, or sexual orientation;
new text end
new text begin
(5) whether targeted advertising systems used by the online service, product, or feature
would result in reasonably foreseeable and material physical or financial harm to the child;
reasonably foreseeable and extreme psychological or emotional harm to the child; a highly
offensive intrusion on the reasonable privacy expectations of the child; or discrimination
against the child based upon race, color, religion, national origin, disability, sex, or sexual
orientation;
new text end
new text begin
(6) whether the online service, product, or feature uses system design features to increase,
sustain, or extend use of the online service, product, or feature by children, including the
automatic playing of media, rewards for time spent, and notifications, that would result in
reasonably foreseeable and material physical or financial harm to the child; reasonably
foreseeable and extreme psychological or emotional harm to the child; a highly offensive
intrusion on the reasonable privacy expectations of the child; or discrimination against the
child based upon race, color, religion, national origin, disability, sex, or sexual orientation;
new text end
new text begin
(7) whether, how, and for what purpose the online service, product, or feature collects
or processes personal data of children, and whether those practices would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation; and
new text end
new text begin
(8) whether and how product experimentation results for the online product, service, or
feature reveal data management or design practices that would result in reasonably
foreseeable and material physical or financial harm to the child; reasonably foreseeable and
extreme psychological or emotional harm to the child; a highly offensive intrusion on the
reasonable privacy expectations of the child; or discrimination against the child based upon
race, color, religion, national origin, disability, sex, or sexual orientation.
new text end
new text begin
(c) A data protection impact assessment conducted by a business for the purpose of
compliance with any other law complies with this section if the data protection impact
assessment meets the requirement of this chapter.
new text end
new text begin
(d) A single data protection impact assessment may contain multiple similar processing
operations that present similar risk only if each relevant online service, product, or feature
is addressed.
new text end
new text begin
(e) For purposes of estimating a child's age, a business must only process the minimal
amount of personal data reasonably necessary to provide the online service, product, or
feature with which the child is actively and knowingly engaged.
new text end
new text begin Subd. 2. new text end
new text begin Prohibition on businesses. new text end
new text begin
A business that provides an online service, product,
or feature reasonably likely to be accessed by children must not:
new text end
new text begin
(1) process the personal data of any child in a way that is inconsistent with the best
interests of children reasonably likely to access the online service, product, or feature;
new text end
new text begin
(2) profile a child by default unless both of the following criteria are met:
new text end
new text begin
(i) the business can demonstrate it has appropriate safeguards in place to ensure that
profiling is consistent with the best interests of children reasonably likely to access the
online service, product, or feature; and
new text end
new text begin
(ii) either of the following is true:
new text end
new text begin
(A) profiling is necessary to provide the online service, product, or feature requested
and only with respect to the aspects of the online service, product, or feature with which a
child is actively and knowingly engaged; or
new text end
new text begin
(B) the business can demonstrate a compelling reason that profiling is in the best interests
of children;
new text end
new text begin
(3) process any personal data that is not reasonably necessary to provide an online service,
product, or feature with which a child is actively and knowingly engaged;
new text end
new text begin
(4) if the end user is a child, process personal data for any reason other than a reason
for which that personal data was collected;
new text end
new text begin
(5) process any precise geolocation information of children by default, unless the
collection of that precise geolocation information is strictly necessary for the business to
provide the service, product, or feature requested and then only for the limited time that the
collection of precise geolocation information is necessary to provide the service, product,
or feature;
new text end
new text begin
(6) process any precise geolocation information of a child without providing an obvious
sign to the child for the duration of that collection that precise geolocation information is
being collected;
new text end
new text begin
(7) use dark patterns to cause children to provide personal data beyond what is reasonably
expected to provide that online service, product, or feature to forgo privacy protections, or
to take any action that the business knows, or has reason to know, is not in the best interests
of children reasonably likely to access the online service, product, or feature; or
new text end
new text begin
(8) allow a child's parent, guardian, or any other consumer to monitor the child's online
activity or track the child's location, without providing an obvious signal to the child when
the child is being monitored or tracked.
new text end
new text begin Subd. 3. new text end
new text begin Data practices. new text end
new text begin
(a) A data protection impact assessment collected or maintained
by the attorney general under subdivision 1 is classified as nonpublic data or private data
on individuals under section 13.02, subdivisions 9 and 12.
new text end
new text begin
(b) To the extent any information contained in a data protection impact assessment
disclosed to the attorney general includes information subject to attorney-client privilege
or work product protection, disclosure pursuant to this section does not constitute a waiver
of that privilege or protection.
new text end
Sec. 7.
new text begin
[325O.05] ATTORNEY GENERAL ENFORCEMENT.
new text end
new text begin
(a) A business that violates this chapter may be subject to an injunction and liable for a
civil penalty of not more than $2,500 per affected child for each negligent violation, or not
more than $7,500 per affected child for each intentional violation, which may be assessed
and recovered only in a civil action brought by the attorney general in accordance with
section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition
to penalties provided by this paragraph or other remedies provided by law, be allowed an
amount determined by the court to be the reasonable value of all or part of the state's litigation
expenses incurred.
new text end
new text begin
(b) Any penalties, fees, and expenses recovered in an action brought under this chapter
must be deposited in an account in the special revenue fund and are appropriated to the
attorney general to offset costs incurred by the attorney general in connection with
enforcement of this chapter.
new text end
new text begin
(c) If a business is in substantial compliance with this chapter and has fulfilled the
requirements of section 325O.04, subdivision 1, paragraph (a), clause (1), the attorney
general must, before initiating a civil action under this section, provide written notice to the
business identifying the specific provisions of this chapter that the attorney general alleges
have been or are being violated. If, within 90 days of the notice required by this paragraph,
the business cures any noticed violation and provides the attorney general a written statement
that the alleged violations have been cured, and sufficient measures have been taken to
prevent future violations, the business is not liable for a civil penalty for any violation cured
pursuant to this section.
new text end
new text begin
(d) Nothing in this chapter provides a private right of action under this chapter, section
8.31, or any other law.
new text end
Sec. 8.
new text begin
[325O.06] LIMITATIONS.
new text end
new text begin
Nothing in this chapter shall be interpreted or construed to:
new text end
new text begin
(1) impose liability in a manner that is inconsistent with United States Code, title 47,
section 230;
new text end
new text begin
(2) prevent or preclude any child from deliberately or independently searching for or
specifically requesting content;
new text end
new text begin
(3) require a business to implement age-gating or other technical protection methods to
prevent underage people from viewing a website or other content; or
new text end
new text begin
(4) infringe on the existing rights and freedoms of children.
new text end
Sec. 9. new text begin EFFECTIVE DATE.
new text end
new text begin
(a) This act is effective July 1, 2025.
new text end
new text begin
(b) "Legacy product" means any online service, product, or feature that is likely to be
accessed by children and that is offered to the public before July 1, 2025. By July 1, 2025,
a business must complete a data protection impact assessment for all legacy products, unless
the legacy product is exempt under paragraph (c). A business which is not in compliance
with this paragraph is not eligible for the 90-day opportunity, provided under Minnesota
Statutes, section 325O.05, paragraph (c), to cure a violation related to a legacy product.
new text end
new text begin
(c) This act does not apply to an online service, product, or feature that is not offered to
the public on or after July 1, 2025.
new text end