Minnesota Legislature
HF 2257
as introduced - 93rd Legislature (2023 - 2024) Posted on 03/06/2023 04:22pm
1.8 1.9 1.10 1.11 1.12 1.13 1.14
1.15 1.16 1.17 1.18 1.19 1.20 2.1 2.2 2.3
2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 3.32 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 4.32 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 5.31 5.32 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10 6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 6.31 7.1 7.2 7.3 7.4 7.5
7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23
7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26 9.27 9.28 9.29 9.30 9.31 9.32 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16 10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24 10.25 10.26 10.27 10.28 10.29 10.30 10.31 10.32 10.33 11.1 11.2 11.3 11.4 11.5 11.6 11.7
11.8 11.9 11.10 11.11 11.12 11.13 11.14 11.15 11.16 11.17 11.18 11.19 11.20 11.21 11.22 11.23 11.24 11.25 11.26 11.27 11.28 11.29 11.30
11.31 11.32 12.1 12.2 12.3 12.4 12.5 12.6
A bill for an act
relating to consumer data privacy; creating the Minnesota Age-Appropriate Design
Code Act; placing obligations on certain businesses regarding children's consumer
information; providing for enforcement by the attorney general; proposing coding
for new law in Minnesota Statutes, chapter 13; proposing coding for new law as
Minnesota Statutes, chapter 325O.
BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:
Section 1.
new text begin
[13.6505] ATTORNEY GENERAL DATA CODED ELSEWHERE.
new text end
new text begin Subdivision 1. new text end
new text begin Scope. new text end
new text begin
The sections referred to in this section are codified outside this
chapter. Those sections classify attorney general data as other than public, place restrictions
on access to government data, or involve data sharing.
new text end
new text begin Subd. 2. new text end
new text begin Data protection impact assessments. new text end
new text begin
A data protection impact assessment
collected or maintained by the attorney general under section 325O.04, is classified under
subdivision 4 of that section.
new text end
Sec. 2.
new text begin
[325O.01] CITATION; CONSTRUCTION.
new text end
new text begin Subdivision 1. new text end
new text begin Citation. new text end
new text begin
This chapter may be cited as the "Minnesota Age-Appropriate
Design Code Act."
new text end
new text begin Subd. 2. new text end
new text begin Construction. new text end
new text begin
(a) A business that develops and provides online services,
products, or features that children are likely to access must consider the best interests of
children when designing, developing, and providing that online service, product, or feature.
new text end
new text begin
(b) If a conflict arises between commercial interests of a business and the best interests
of children likely to access an online product, service, or feature, the business must prioritize
the privacy, safety, and well-being of children over its commercial interests.
new text end
Sec. 3.
new text begin
[325O.02] DEFINITIONS.
new text end
new text begin
(a) For purposes of this chapter, the following terms have the meanings given.
new text end
new text begin
(b) "Aggregate consumer information" means information that relates to a group or
category of consumers, from which individual consumer identities have been removed, that
is not linked or reasonably linkable to any consumer or household, including via a device.
Aggregate consumer information does not mean one or more individual consumer records
that have been deidentified.
new text end
new text begin
(c) "Business" means:
new text end
new text begin
(1) a sole proprietorship, partnership, limited liability company, corporation, association,
or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners that:
new text end
new text begin
(i) collects consumers' personal information or on behalf of which that information is
collected;
new text end
new text begin
(ii) alone, or jointly with others, determines the purposes and means of the processing
of consumers' personal information;
new text end
new text begin
(iii) does business in Minnesota; and
new text end
new text begin
(iv) satisfies one or more of the following thresholds:
new text end
new text begin
(A) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered
year to reflect the Consumer Price Index;
new text end
new text begin
(B) alone or in combination, annually buys, receives for the business's commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
information of 50,000 or more consumers, households, or devices; or
new text end
new text begin
(C) derives 50 percent or more of its annual revenues from selling consumers' personal
information; and
new text end
new text begin
(2) any entity that controls or is controlled by a business as defined in clause (1) and
that shares common branding with the business. For purposes of this clause, "control" or
"controlled" means ownership of, or the power to vote, more than 50 percent of the
outstanding shares of any class of voting security of a business; control in any manner over
the election of a majority of the directors, or of individuals exercising similar functions; or
the power to exercise a controlling influence over the management of a company. For
purposes of this clause, "common branding" means a shared name, servicemark, or trademark
that the average consumer would understand that two or more entities are commonly owned.
new text end
new text begin
For purposes of this chapter, for a joint venture or partnership composed of businesses in
which each business has at least a 40 percent interest, the joint venture or partnership and
each business that composes the joint venture or partnership shall separately be considered
a single business, except that personal information in the possession of each business and
disclosed to the joint venture or partnership must not be shared with the other business.
new text end
new text begin
(d) "Child" means a consumer who is under 18 years of age.
new text end
new text begin
(e) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any
personal information pertaining to a consumer by any means. This includes receiving
information from the consumer, either actively or passively, or by observing the consumer's
behavior.
new text end
new text begin
(f) "Consumer" means a natural person who is a Minnesota resident, however identified,
including by any unique identifier.
new text end
new text begin
(g) "Dark pattern" means a user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision making, or choice.
new text end
new text begin
(h) "Data protection impact assessment" means a systematic survey to assess and mitigate
risks to children who are reasonably likely to access the online service, product, or feature
that arise from the data management practices of the business.
new text end
new text begin
(i) "Default" means a preselected option adopted by the business for the online service,
product, or feature.
new text end
new text begin
(j) "Deidentified" means information that cannot reasonably be used to infer information
about, or otherwise be linked to, a particular consumer provided that the business that
possesses the information:
new text end
new text begin
(1) takes reasonable measures to ensure that the information cannot be associated with
a consumer or household;
new text end
new text begin
(2) publicly commits to maintain and use the information in deidentified form and not
to attempt to reidentify the information, except that the business may attempt to reidentify
the information solely for the purpose of determining whether its deidentification processes
satisfy the requirements of this paragraph; and
new text end
new text begin
(3) contractually obligates any recipients of the information to maintain the data in
deidentified form in accordance with this definition.
new text end
new text begin
(k) "Likely to be accessed by children" means an online service, product, or feature that
it is reasonable to expect would be accessed by children based on any of the following
indicators:
new text end
new text begin
(1) the online service, product, or feature is directed to children, as defined by the
Children's Online Privacy Protection Act, United States Code, title 15, section 6501 et seq.;
new text end
new text begin
(2) the online service, product, or feature is determined, based on competent and reliable
evidence regarding audience composition, to be routinely accessed by a significant number
of children;
new text end
new text begin
(3) the online service, product, or feature contains advertisements marketed to children;
new text end
new text begin
(4) the online service, product, or feature is substantially similar or the same as an online
service, product, or feature subject to clause (2);
new text end
new text begin
(5) the online service, product, or feature has design elements that are known to be of
interest to children, including but not limited to games, cartoons, music, and celebrities who
appeal to children; or
new text end
new text begin
(6) a significant amount of the audience of the online service, product, or feature is
determined, based on internal company research, to be children.
new text end
new text begin
(l) "Online service, product, or feature" does not mean any of the following:
new text end
new text begin
(1) telecommunications service, as defined in United States Code, title 47, section 153;
or
new text end
new text begin
(2) the delivery or use of a physical product.
new text end
new text begin
(m) "Personal information" means information that identifies, relates to, describes, is
reasonably capable of being associated with, or could reasonably be linked, directly or
indirectly, with a particular consumer or household. Personal information includes but is
not limited to the following if it identifies, relates to, describes, is reasonably capable of
being associated with, or could be reasonably linked, directly or indirectly, with a particular
consumer or household:
new text end
new text begin
(1) identifiers such as a real name, alias, postal address, unique personal identifier, online
identifier, Internet Protocol address, email address, account name, Social Security number,
driver's license number, passport number, or other similar identifiers;
new text end
new text begin
(2) characteristics of protected classifications under state or federal law;
new text end
new text begin
(3) commercial information, including records of personal property; products or services
purchased, obtained, or considered; or other purchasing or consuming histories or tendencies;
new text end
new text begin
(4) biometric information;
new text end
new text begin
(5) Internet or other electronic network activity information, including but not limited
to browsing history, search history, and information regarding a consumer's interaction with
an Internet website application, or advertisement;
new text end
new text begin
(6) geolocation data;
new text end
new text begin
(7) audio, electronic, visual, thermal, olfactory, or similar information;
new text end
new text begin
(8) professional or employment-related information;
new text end
new text begin
(9) education information, defined as information that is not publicly available personally
identifiable information as defined in the Family Educational Rights and Privacy Act, United
States Code, title 20, section 1232g, and Code of Federal Regulations, title 34, part 99;
new text end
new text begin
(10) inferences drawn from any of the information identified in this paragraph to create
a profile about a consumer reflecting the consumer's preferences, characteristics,
psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes;
and
new text end
new text begin
(11) sensitive personal information.
new text end
new text begin
Personal information does not include publicly available information or lawfully obtained,
truthful information that is a matter of public concern. Personal information does not include
consumer information that is deidentified or aggregate consumer information.
new text end
new text begin
(n) "Precise geolocation" means any data that is derived from a device and that is used
or intended to be used to locate a consumer within a geographic area that is equal to or less
than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
new text end
new text begin
(o) "Profiling" means any form of automated processing of personal information that
uses personal information to evaluate certain aspects relating to a natural person, including
analyzing or predicting aspects concerning a natural person's performance at work, economic
situation, health, personal preferences, interests, reliability, behavior, location, or movements.
new text end
new text begin
(p) "Publicly available" means information that is lawfully made available from federal,
state, or local government records or information that a business has a reasonable basis to
believe is lawfully made available to the general public by the consumer or from widely
distributed media. Publicly available does not mean biometric information collected by a
business about a consumer without the consumer's knowledge.
new text end
new text begin
(q) "Sell" means selling, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means
a consumer's personal information by the business to a third party for monetary or other
valuable consideration.
new text end
new text begin
(r) "Sensitive personal information" means:
new text end
new text begin
(1) personal information that reveals:
new text end
new text begin
(i) a consumer's Social Security, driver's license, state identification card, or passport
number;
new text end
new text begin
(ii) a consumer's account log-in, financial account, debit card, or credit card number in
combination with any required security or access code, password, or credentials allowing
access to an account;
new text end
new text begin
(iii) a consumer's precise geolocation;
new text end
new text begin
(iv) a consumer's racial or ethnic origin, religious or philosophical beliefs, or union
membership;
new text end
new text begin
(v) the contents of a consumer's mail, email, and text messages unless the business is
the intended recipient of the communication; or
new text end
new text begin
(vi) a consumer's genetic data;
new text end
new text begin
(2) the processing of biometric information for the purpose of uniquely identifying a
consumer;
new text end
new text begin
(3) personal information collected and analyzed concerning a consumer's health; or
new text end
new text begin
(4) personal information collected and analyzed concerning a consumer's sex life or
sexual orientation.
new text end
new text begin
Sensitive personal information that is publicly available is not sensitive personal information
or personal information.
new text end
new text begin
(s) "Share" means sharing, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means
a consumer's personal information by the business to a third party for cross-context behavioral
advertising, whether or not for monetary or other valuable consideration, including
transactions between a business and a third party for cross-context behavioral advertising
for the benefit of a business in which no money is exchanged.
new text end
new text begin
(t) "Third party" means a person who is not any of the following:
new text end
new text begin
(1) the business with whom the consumer intentionally interacts and that collects personal
information from the consumer as part of the consumer's current interaction with the business
under this title;
new text end
new text begin
(2) a service provider to the business; or
new text end
new text begin
(3) a contractor with the business.
new text end
Sec. 4.
new text begin
[325O.03] SCOPE; EXCLUSIONS.
new text end
new text begin
This chapter does not apply to:
new text end
new text begin
(1) protected health information that is collected by a covered entity or business associate
governed by the privacy, security, and breach notification rules issued by the United States
Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160
and 164, established pursuant to the Health Insurance Portability and Accountability Act
of 1996, Public Law 104-191, and the Health Information Technology for Economic and
Clinical Health Act, Public Law 111-5;
new text end
new text begin
(2) a covered entity governed by the privacy, security, and breach notification rules
issued by the United States Department of Health and Human Services, Code of Federal
Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, to the extent the provider
or covered entity maintains patient information in the same manner as medical information
or protected health information as described in clause (1); or
new text end
new text begin
(3) information collected as part of a clinical trial subject to the federal policy for the
protection of human subjects, also known as the common rule, pursuant to good clinical
practice guidelines issued by the International Council for Harmonisation or pursuant to
human subject protection requirements of the United States Food and Drug Administration.
new text end
Sec. 5.
new text begin
[325O.04] BUSINESS OBLIGATIONS.
new text end
new text begin Subdivision 1. new text end
new text begin Requirements for businesses. new text end
new text begin
A business that provides an online service,
product, or feature likely to be accessed by children must:
new text end
new text begin
(1) before any new online services, products, or features are offered to the public,
complete a data protection impact assessment for any online service, product, or feature
likely to be accessed by children and maintain documentation of this assessment as long as
the online service, product, or feature is likely to be accessed by children;
new text end
new text begin
(2) biennially review all data protection impact assessments;
new text end
new text begin
(3) document any risk of material detriment to children that arises from the data
management practices of the business identified in the data protection impact assessment
required by clause (1) and create a timed plan to mitigate or eliminate the risk before the
online service, product, or feature is accessed by children;
new text end
new text begin
(4) within three business days of a written request by the attorney general, provide to
the attorney general a list of all data protection impact assessments the business has
completed;
new text end
new text begin
(5) within five business days of a written request by the attorney general, provide the
attorney general with a copy of any data protection impact assessment;
new text end
new text begin
(6) estimate the age of child users with a reasonable level of certainty appropriate to the
risks that arise from the data management practices of the business or apply the privacy and
data protections afforded to children to all consumers;
new text end
new text begin
(7) configure all default privacy settings provided to children by the online service,
product, or feature to settings that offer a high level of privacy, unless the business can
demonstrate a compelling reason that a different setting is in the best interests of children;
new text end
new text begin
(8) provide any privacy information, terms of service, policies, and community standards
concisely, prominently, and using clear language suited to the age of children likely to
access that online service, product, or feature;
new text end
new text begin
(9) if the online service, product, or feature allows a child's parent, guardian, or any
other consumer to monitor the child's online activity or track the child's location, provide
an obvious signal to the child when the child is being monitored or tracked;
new text end
new text begin
(10) enforce published terms, policies, and community standards established by the
business, including but not limited to privacy policies and those concerning children; and
new text end
new text begin
(11) provide prominent, accessible, and responsive tools to help children, or if applicable
their parents or guardians, exercise their privacy rights and report concerns.
new text end
new text begin Subd. 2. new text end
new text begin Data protection impact assessments; requirements. new text end
new text begin
(a) A data protection
impact assessment required by this section must:
new text end
new text begin
(1) identify the purpose of the online service, product, or feature; how it uses children's
personal information; and the risks of material detriment to children that arise from the data
management practices of the business; and
new text end
new text begin
(2) address, to the extent applicable:
new text end
new text begin
(i) whether the design of the online product, service, or feature could harm children,
including by exposing children to harmful, or potentially harmful, content on the online
product, service, or feature;
new text end
new text begin
(ii) whether the design of the online product, service, or feature could lead to children
experiencing or being targeted by harmful, or potentially harmful, contacts on the online
product, service, or feature;
new text end
new text begin
(iii) whether the design of the online product, service, or feature could permit children
to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the
online product, service, or feature;
new text end
new text begin
(iv) whether the design of the online product, service, or feature could allow children
to be party to or exploited by a harmful, or potentially harmful, contact on the online product,
service, or feature;
new text end
new text begin
(v) whether algorithms used by the online product, service, or feature could harm children;
new text end
new text begin
(vi) whether targeted advertising systems used by the online product, service, or feature
could harm children;
new text end
new text begin
(vii) whether and how the online product, service, or feature uses system design features
to increase, sustain, or extend use of the online product, service, or feature by children,
including the automatic playing of media, rewards for time spent, and notifications; and
new text end
new text begin
(viii) whether, how, and for what purpose the online product, service, or feature collects
or processes sensitive personal information of children.
new text end
new text begin
(b) A data protection impact assessment conducted by a business for the purpose of
compliance with any other law complies with this section if the data protection impact
assessment meets the requirements of this chapter.
new text end
new text begin
(c) A single data protection impact assessment may contain multiple similar processing
operations that present similar risks only if each relevant online service, product, or feature
is addressed.
new text end
new text begin Subd. 3. new text end
new text begin Prohibitions on businesses. new text end
new text begin
A business that provides an online service, product,
or feature likely to be accessed by children must not:
new text end
new text begin
(1) use the personal information of any child in a way that the business knows, or has
reason to know, is materially detrimental to the physical health, mental health, or well-being
of a child;
new text end
new text begin
(2) profile a child by default unless both of the following criteria are met:
new text end
new text begin
(i) the business can demonstrate it has appropriate safeguards in place to protect children;
and
new text end
new text begin
(ii) either of the following is true:
new text end
new text begin
(A) profiling is necessary to provide the online service, product, or feature requested
and only with respect to the aspects of the online service, product, or feature with which a
child is actively and knowingly engaged; or
new text end
new text begin
(B) the business can demonstrate a compelling reason that profiling is in the best interests
of children;
new text end
new text begin
(3) collect, sell, share, or retain any personal information that is not necessary to provide
an online service, product, or feature with which a child is actively and knowingly engaged,
or as described below, unless the business can demonstrate a compelling reason that the
collecting, selling, sharing, or retaining of the personal information is in the best interests
of children likely to access the online service, product, or feature;
new text end
new text begin
(4) if the end user is a child, use personal information for any reason other than a reason
for which that personal information was collected, unless the business can demonstrate a
compelling reason that use of the personal information is in the best interests of children;
new text end
new text begin
(5) collect, sell, or share any precise geolocation information of children by default,
unless the collection of that precise geolocation information is strictly necessary for the
business to provide the service, product, or feature requested and then only for the limited
time that the collection of precise geolocation information is necessary to provide the service,
product, or feature;
new text end
new text begin
(6) collect any precise geolocation information of a child without providing an obvious
sign to the child for the duration of that collection that precise geolocation information is
being collected;
new text end
new text begin
(7) use dark patterns to lead or encourage children to provide personal information
beyond what is reasonably expected to provide that online service, product, or feature to
forego privacy protections, or to take any action that the business knows, or has reason to
know, is materially detrimental to the child's physical health, mental health, or well-being;
or
new text end
new text begin
(8) use any personal information collected to estimate age or age range for any purpose
other than to fulfill the requirements of subdivision 1, clause (6), or retain that personal
information longer than necessary to estimate age. Age assurance must be proportionate to
the risks and data practice of an online service, product, or feature.
new text end
new text begin Subd. 4. new text end
new text begin Data practices. new text end
new text begin
(a) A data protection impact assessment collected or maintained
by the attorney general under subdivision 1 is classified as nonpublic data or private data
on individuals under section 13.02, subdivisions 9 and 12.
new text end
new text begin
(b) To the extent any information contained in a data protection impact assessment
disclosed to the attorney general includes information subject to attorney-client privilege
or work product protection, disclosure pursuant to this section does not constitute a waiver
of that privilege or protection.
new text end
Sec. 6.
new text begin
[325O.05] ATTORNEY GENERAL ENFORCEMENT.
new text end
new text begin
(a) A business that violates this chapter may be subject to an injunction and liable for a
civil penalty of not more than $2,500 per affected child for each negligent violation, or not
more than $7,500 per affected child for each intentional violation, which may be assessed
and recovered only in a civil action brought by the attorney general in accordance with
section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition
to penalties provided by this paragraph or other remedies provided by law, be allowed an
amount determined by the court to be the reasonable value of all or part of the state's litigation
expenses incurred.
new text end
new text begin
(b) Any penalties, fees, and expenses recovered in an action brought under this chapter
must be deposited in an account in the special revenue fund and are appropriated to the
attorney general to offset costs incurred by the attorney general in connection with
enforcement of this chapter.
new text end
new text begin
(c) If a business is in substantial compliance with the requirements of section 325O.04,
subdivision 1, clauses (1) to (5), the attorney general must, before initiating a civil action
under this section, provide written notice to the business identifying the specific provisions
of this chapter that the attorney general alleges have been or are being violated. If, within
90 days of the notice required by this paragraph, the business cures any noticed violation
and provides the attorney general a written statement that the alleged violations have been
cured, and sufficient measures have been taken to prevent future violations, the business is
not liable for a civil penalty for any violation cured pursuant to this section.
new text end
new text begin
(d) Nothing in this chapter provides a private right of action under this chapter, section
8.31, or any other law.
new text end
Sec. 7. new text begin EFFECTIVE DATE.
new text end
new text begin
(a) This act is effective July 1, 2024.
new text end
new text begin
(b) By July 1, 2025, a business must complete a data protection impact assessment for
any online service, product, or feature likely to be accessed by children offered to the public
before July 1, 2024, unless that online service, product, or feature is exempt under paragraph
(c).
new text end
new text begin
(c) This act does not apply to an online service, product, or feature that is not offered to
the public on or after July 1, 2024.
new text end