Skip to main content Skip to office menu Skip to footer
Capital IconMinnesota Legislature

SF 2810

1st Engrossment - 93rd Legislature (2023 - 2024) Posted on 03/19/2024 09:09am

KEY: stricken = removed, old language.
underscored = added, new language.
Line numbers 1.1 1.2 1.3 1.4 1.5 1.6 1.7
1.8 1.9 1.10 1.11 1.12 1.13 1.14
1.15 1.16 1.17 1.18 1.19 1.20 2.1 2.2 2.3
2.4 2.5 2.6 2.7 2.8 2.9 2.10 2.11 2.12 2.13 2.14 2.15 2.16 2.17 2.18 2.19 2.20 2.21 2.22 2.23 2.24 2.25 2.26 2.27 2.28 2.29 2.30 2.31 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 3.20 3.21 3.22 3.23 3.24 3.25 3.26 3.27 3.28 3.29 3.30 3.31 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 4.30 4.31 5.1 5.2 5.3 5.4 5.5 5.6 5.7 5.8
5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 5.25 5.26 5.27 5.28 5.29 5.30 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 6.9 6.10
6.11 6.12 6.13 6.14 6.15 6.16 6.17 6.18 6.19 6.20 6.21 6.22 6.23 6.24 6.25 6.26 6.27 6.28 6.29 6.30 7.1 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 7.11 7.12 7.13 7.14 7.15 7.16 7.17 7.18 7.19 7.20 7.21 7.22 7.23 7.24 7.25 7.26 7.27 7.28 7.29 7.30 7.31 7.32 8.1 8.2 8.3 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 8.13 8.14 8.15 8.16 8.17 8.18 8.19 8.20 8.21 8.22 8.23 8.24 8.25 8.26 8.27 8.28 8.29 8.30 8.31 8.32 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 9.23 9.24 9.25 9.26
9.27 9.28 9.29 9.30 9.31 9.32 9.33 10.1 10.2 10.3 10.4 10.5 10.6 10.7 10.8 10.9 10.10 10.11 10.12 10.13 10.14 10.15 10.16
10.17 10.18 10.19 10.20 10.21 10.22 10.23 10.24

A bill for an act
relating to consumer data privacy; creating the Minnesota Age-Appropriate Design
Code Act; placing obligations on certain businesses regarding children's consumer
information; providing for enforcement by the attorney general; proposing coding
for new law in Minnesota Statutes, chapter 13; proposing coding for new law as
Minnesota Statutes, chapter 325O.

BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA:

Section 1.

new text begin [13.6505] ATTORNEY GENERAL DATA CODED ELSEWHERE.
new text end

new text begin Subdivision 1. new text end

new text begin Scope. new text end

new text begin The sections referred to in this section are codified outside this
chapter. Those sections classify attorney general data as other than public, place restrictions
on access to government data, or involve data sharing.
new text end

new text begin Subd. 2. new text end

new text begin Data protection impact assessments. new text end

new text begin A data protection impact assessment
collected or maintained by the attorney general under section 325O.04, is classified under
subdivision 4 of that section.
new text end

Sec. 2.

new text begin [325O.01] CITATION; CONSTRUCTION.
new text end

new text begin Subdivision 1. new text end

new text begin Citation. new text end

new text begin This chapter may be cited as the "Minnesota Age-Appropriate
Design Code Act."
new text end

new text begin Subd. 2. new text end

new text begin Construction. new text end

new text begin (a) A business that develops and provides online services,
products, or features that children are likely to access must consider the best interests of
children when designing, developing, and providing that online service, product, or feature.
new text end

new text begin (b) If a conflict arises between commercial interests of a business and the best interests
of children likely to access an online product, service, or feature, the business must prioritize
the privacy, safety, and well-being of children over its commercial interests.
new text end

Sec. 3.

new text begin [325O.02] DEFINITIONS.
new text end

new text begin (a) For purposes of this chapter, the following terms have the meanings given.
new text end

new text begin (b) "Affiliate" means a legal entity that controls, is controlled by, or is under common
control with, that other legal entity. For these purposes, "control" or "controlled" means:
ownership of, or the power to vote, more than 50 percent of the outstanding shares of any
class of voting security of a company; control in any manner over the election of a majority
of the directors or of individuals exercising similar functions; or the power to exercise a
controlling influence over the management of a company.
new text end

new text begin (c) "Business" means:
new text end

new text begin (1) a sole proprietorship, partnership, limited liability company, corporation, association,
or other legal entity that is organized or operated for the profit or financial benefit of its
shareholders or other owners; and
new text end

new text begin (2) an affiliate of a business that shares common branding with the business. For purposes
of this clause, "common branding" means a shared name, servicemark, or trademark that
the average consumer would understand that two or more entities are commonly owned.
new text end

new text begin For purposes of this chapter, for a joint venture or partnership composed of businesses in
which each business has at least a 40 percent interest, the joint venture or partnership and
each business that composes the joint venture or partnership shall separately be considered
a single business, except that personal data in the possession of each business and disclosed
to the joint venture or partnership must not be shared with the other business.
new text end

new text begin (d) "Child" means a consumer who is under 18 years of age.
new text end

new text begin (e) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any
personal data pertaining to a consumer by any means. This includes receiving data from the
consumer, either actively or passively, or by observing the consumer's behavior.
new text end

new text begin (f) "Consumer" means a natural person who is a Minnesota resident, however identified,
including by any unique identifier.
new text end

new text begin (g) "Dark pattern" means a user interface designed or manipulated with the substantial
effect of subverting or impairing user autonomy, decision making, or choice.
new text end

new text begin (h) "Data protection impact assessment" means a systematic survey to assess and mitigate
risks to children who are reasonably likely to access the online service, product, or feature
that arise from the data management practices of the business.
new text end

new text begin (i) "Default" means a preselected option adopted by the business for the online service,
product, or feature.
new text end

new text begin (j) "Deidentified" means data that cannot reasonably be used to infer information about,
or otherwise be linked to, an identified or identifiable natural person, or a device linked to
such person, provided that the business that possesses the data:
new text end

new text begin (1) takes reasonable measures to ensure that the data cannot be associated with a natural
person;
new text end

new text begin (2) publicly commits to maintain and use the data only in a deidentified fashion and not
attempt to reidentify the data; and
new text end

new text begin (3) contractually obligates any recipients of the data to comply with all provisions of
this paragraph.
new text end

new text begin (k) "Likely to be accessed by children" means an online service, product, or feature that
it is reasonable to expect would be accessed by children based on any of the following
indicators:
new text end

new text begin (1) the online service, product, or feature is directed to children, as defined by the
Children's Online Privacy Protection Act, United States Code, title 15, section 6501 et seq.;
new text end

new text begin (2) the online service, product, or feature is determined, based on competent and reliable
evidence regarding audience composition, to be routinely accessed by a significant number
of children;
new text end

new text begin (3) the online service, product, or feature contains advertisements marketed to children;
new text end

new text begin (4) the online service, product, or feature is substantially similar or the same as an online
service, product, or feature subject to clause (2);
new text end

new text begin (5) the online service, product, or feature has design elements that are known to be of
interest to children, including but not limited to games, cartoons, music, and celebrities who
appeal to children; or
new text end

new text begin (6) a significant amount of the audience of the online service, product, or feature is
determined, based on internal company research, to be children.
new text end

new text begin (l) "Online service, product, or feature" does not mean any of the following:
new text end

new text begin (1) telecommunications service, as defined in United States Code, title 47, section 153;
new text end

new text begin (2) a broadband service as defined by section 116J.39, subdivision 1; or
new text end

new text begin (3) the delivery or use of a physical product.
new text end

new text begin (m) "Personal data" means any information that is linked or reasonably linkable to an
identified or identifiable natural person. Personal data does not include deidentified data or
publicly available information. For purposes of this paragraph, "publicly available
information" means information that (1) is lawfully made available from federal, state, or
local government records or widely distributed media, and (2) a controller has a reasonable
basis to believe a consumer has lawfully made available to the general public.
new text end

new text begin (n) "Precise geolocation" means any data that is derived from a device and that is used
or intended to be used to locate a consumer within a geographic area that is equal to or less
than the area of a circle with a radius of 1,850 feet, except as prescribed by regulations.
new text end

new text begin (o) "Process" or "processing" means any operation or set of operations that are performed
on personal data or on sets of personal data, whether or not by automated means, such as
the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
new text end

new text begin (p) "Profiling" means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects concerning an identified or identifiable natural person's
economic situation, health, personal preferences, interests, reliability, behavior, location,
or movements.
new text end

new text begin (q) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other
valuable consideration by a business to a third party. Sale does not include the following:
new text end

new text begin (1) the disclosure of personal data to a third party who processes the personal data on
behalf of the business;
new text end

new text begin (2) the disclosure of personal data to a third party with whom the consumer has a direct
relationship for purposes of providing a product or service requested by the consumer;
new text end

new text begin (3) the disclosure or transfer of personal data to an affiliate of the business;
new text end

new text begin (4) the disclosure of data that the consumer intentionally made available to the general
public via a channel of mass media and did not restrict to a specific audience; or
new text end

new text begin (5) the disclosure or transfer of personal data to a third party as an asset that is part of a
completed or proposed merger, acquisition, bankruptcy, or other transaction in which the
third party assumes control of all or part of the business's assets.
new text end

new text begin (r) "Share" means sharing, renting, releasing, disclosing, disseminating, making available,
transferring, or otherwise communicating orally, in writing, or by electronic or other means
a consumer's personal data by the business to a third party for cross-context behavioral
advertising, whether or not for monetary or other valuable consideration, including
transactions between a business and a third party for cross-context behavioral advertising
for the benefit of a business in which no money is exchanged.
new text end

new text begin (s) "Third party" means a natural or legal person, public authority, agency, or body other
than the consumer or the business.
new text end

Sec. 4.

new text begin [325O.03] SCOPE; EXCLUSIONS.
new text end

new text begin (a) A business is subject to this chapter if it:
new text end

new text begin (1) collects consumers' personal data or has consumers' personal data collected on its
behalf by a third party;
new text end

new text begin (2) alone or jointly with others, determines the purposes and means of the processing
of consumers' personal data;
new text end

new text begin (3) does business in Minnesota; and
new text end

new text begin (4) satisfies one or more of the following thresholds:
new text end

new text begin (i) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered
year to reflect the Consumer Price Index;
new text end

new text begin (ii) alone or in combination, annually buys, receives for the business's commercial
purposes, sells, or shares for commercial purposes, alone or in combination, the personal
data of 50,000 or more consumers, households, or devices; or
new text end

new text begin (iii) derives 50 percent or more of its annual revenues from selling consumers' personal
data.
new text end

new text begin (b) This chapter does not apply to:
new text end

new text begin (1) protected health information that is collected by a covered entity or business associate
governed by the privacy, security, and breach notification rules issued by the United States
Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160
and 164, established pursuant to the Health Insurance Portability and Accountability Act
of 1996, Public Law 104-191, and the Health Information Technology for Economic and
Clinical Health Act, Public Law 111-5;
new text end

new text begin (2) a covered entity governed by the privacy, security, and breach notification rules
issued by the United States Department of Health and Human Services, Code of Federal
Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance
Portability and Accountability Act of 1996, Public Law 104-191, to the extent the provider
or covered entity maintains patient information in the same manner as medical information
or protected health information as described in clause (1); or
new text end

new text begin (3) information collected as part of a clinical trial subject to the federal policy for the
protection of human subjects, also known as the common rule, pursuant to good clinical
practice guidelines issued by the International Council for Harmonisation or pursuant to
human subject protection requirements of the United States Food and Drug Administration.
new text end

Sec. 5.

new text begin [325O.04] BUSINESS OBLIGATIONS.
new text end

new text begin Subdivision 1. new text end

new text begin Requirements for businesses. new text end

new text begin A business that provides an online service,
product, or feature likely to be accessed by children must:
new text end

new text begin (1) before any new online services, products, or features are offered to the public,
complete a data protection impact assessment for any online service, product, or feature
likely to be accessed by children and maintain documentation of this assessment as long as
the online service, product, or feature is likely to be accessed by children;
new text end

new text begin (2) biennially review all data protection impact assessments;
new text end

new text begin (3) document any risk of material detriment to children that arises from the data
management practices of the business identified in the data protection impact assessment
required by clause (1) and create a timed plan to mitigate or eliminate the risk before the
online service, product, or feature is accessed by children;
new text end

new text begin (4) within three business days of a written request by the attorney general, provide to
the attorney general a list of all data protection impact assessments the business has
completed;
new text end

new text begin (5) within five business days of a written request by the attorney general, provide the
attorney general with a copy of any data protection impact assessment;
new text end

new text begin (6) estimate the age of child users with a reasonable level of certainty appropriate to the
risks that arise from the data management practices of the business or apply the privacy and
data protections afforded to children to all consumers;
new text end

new text begin (7) configure all default privacy settings provided to children by the online service,
product, or feature to settings that offer a high level of privacy, unless the business can
demonstrate a compelling reason that a different setting is in the best interests of children;
new text end

new text begin (8) provide any privacy information, terms of service, policies, and community standards
concisely, prominently, and using clear language suited to the age of children likely to
access that online service, product, or feature;
new text end

new text begin (9) if the online service, product, or feature allows a child's parent, guardian, or any
other consumer to monitor the child's online activity or track the child's location, provide
an obvious signal to the child when the child is being monitored or tracked;
new text end

new text begin (10) enforce published terms, policies, and community standards established by the
business, including but not limited to privacy policies and those concerning children; and
new text end

new text begin (11) provide prominent, accessible, and responsive tools to help children, or if applicable
their parents or guardians, exercise their privacy rights and report concerns.
new text end

new text begin Subd. 2. new text end

new text begin Data protection impact assessments; requirements. new text end

new text begin (a) A data protection
impact assessment required by this section must:
new text end

new text begin (1) identify the purpose of the online service, product, or feature; how it uses children's
personal data; and the risks of material detriment to children that arise from the data
management practices of the business; and
new text end

new text begin (2) address, to the extent applicable:
new text end

new text begin (i) whether the design of the online product, service, or feature could harm children,
including by exposing children to harmful, or potentially harmful, content on the online
product, service, or feature;
new text end

new text begin (ii) whether the design of the online product, service, or feature could lead to children
experiencing or being targeted by harmful, or potentially harmful, contacts on the online
product, service, or feature;
new text end

new text begin (iii) whether the design of the online product, service, or feature could permit children
to witness, participate in, or be subject to harmful, or potentially harmful, conduct on the
online product, service, or feature;
new text end

new text begin (iv) whether the design of the online product, service, or feature could allow children
to be party to or exploited by a harmful, or potentially harmful, contact on the online product,
service, or feature;
new text end

new text begin (v) whether algorithms used by the online product, service, or feature could harm children;
new text end

new text begin (vi) whether targeted advertising systems used by the online product, service, or feature
could harm children;
new text end

new text begin (vii) whether and how the online product, service, or feature uses system design features
to increase, sustain, or extend use of the online product, service, or feature by children,
including the automatic playing of media, rewards for time spent, and notifications; and
new text end

new text begin (viii) whether, how, and for what purpose the online product, service, or feature collects
or processes personal data of children.
new text end

new text begin (b) A data protection impact assessment conducted by a business for the purpose of
compliance with any other law complies with this section if the data protection impact
assessment meets the requirements of this chapter.
new text end

new text begin (c) A single data protection impact assessment may contain multiple similar processing
operations that present similar risks only if each relevant online service, product, or feature
is addressed.
new text end

new text begin Subd. 3. new text end

new text begin Prohibitions on businesses. new text end

new text begin A business that provides an online service, product,
or feature likely to be accessed by children must not:
new text end

new text begin (1) use the personal data of any child in a way that the business knows, or has reason to
know, is materially detrimental to the physical health, mental health, or well-being of a
child;
new text end

new text begin (2) profile a child by default unless both of the following criteria are met:
new text end

new text begin (i) the business can demonstrate it has appropriate safeguards in place to protect children;
and
new text end

new text begin (ii) either of the following is true:
new text end

new text begin (A) profiling is necessary to provide the online service, product, or feature requested
and only with respect to the aspects of the online service, product, or feature with which a
child is actively and knowingly engaged; or
new text end

new text begin (B) the business can demonstrate a compelling reason that profiling is in the best interests
of children;
new text end

new text begin (3) collect, sell, share, or retain any personal data that is not necessary to provide an
online service, product, or feature with which a child is actively and knowingly engaged,
or as described below, unless the business can demonstrate a compelling reason that the
collecting, selling, sharing, or retaining of the personal data is in the best interests of children
likely to access the online service, product, or feature;
new text end

new text begin (4) if the end user is a child, use personal data for any reason other than a reason for
which that personal data was collected, unless the business can demonstrate a compelling
reason that use of the personal data is in the best interests of children;
new text end

new text begin (5) collect, sell, or share any precise geolocation information of children by default,
unless the collection of that precise geolocation information is strictly necessary for the
business to provide the service, product, or feature requested and then only for the limited
time that the collection of precise geolocation information is necessary to provide the service,
product, or feature;
new text end

new text begin (6) collect any precise geolocation information of a child without providing an obvious
sign to the child for the duration of that collection that precise geolocation information is
being collected;
new text end

new text begin (7) use dark patterns to lead or encourage children to provide personal data beyond what
is reasonably expected to provide that online service, product, or feature to forego privacy
protections, or to take any action that the business knows, or has reason to know, is materially
detrimental to the child's physical health, mental health, or well-being; or
new text end

new text begin (8) use any personal data collected to estimate age or age range for any purpose other
than to fulfill the requirements of subdivision 1, clause (6), or retain that personal data longer
than necessary to estimate age. Age assurance must be proportionate to the risks and data
practice of an online service, product, or feature.
new text end

new text begin Subd. 4. new text end

new text begin Data practices. new text end

new text begin (a) A data protection impact assessment collected or maintained
by the attorney general under subdivision 1 is classified as nonpublic data or private data
on individuals under section 13.02, subdivisions 9 and 12.
new text end

new text begin (b) To the extent any information contained in a data protection impact assessment
disclosed to the attorney general includes information subject to attorney-client privilege
or work product protection, disclosure pursuant to this section does not constitute a waiver
of that privilege or protection.
new text end

Sec. 6.

new text begin [325O.05] ATTORNEY GENERAL ENFORCEMENT.
new text end

new text begin (a) A business that violates this chapter may be subject to an injunction and liable for a
civil penalty of not more than $2,500 per affected child for each negligent violation, or not
more than $7,500 per affected child for each intentional violation, which may be assessed
and recovered only in a civil action brought by the attorney general in accordance with
section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition
to penalties provided by this paragraph or other remedies provided by law, be allowed an
amount determined by the court to be the reasonable value of all or part of the state's litigation
expenses incurred.
new text end

new text begin (b) Any penalties, fees, and expenses recovered in an action brought under this chapter
must be deposited in an account in the special revenue fund and are appropriated to the
attorney general to offset costs incurred by the attorney general in connection with
enforcement of this chapter.
new text end

new text begin (c) If a business is in substantial compliance with the requirements of section 325O.04,
subdivision 1, clauses (1) to (5), the attorney general must, before initiating a civil action
under this section, provide written notice to the business identifying the specific provisions
of this chapter that the attorney general alleges have been or are being violated. If, within
90 days of the notice required by this paragraph, the business cures any noticed violation
and provides the attorney general a written statement that the alleged violations have been
cured, and sufficient measures have been taken to prevent future violations, the business is
not liable for a civil penalty for any violation cured pursuant to this section.
new text end

new text begin (d) Nothing in this chapter provides a private right of action under this chapter, section
8.31, or any other law.
new text end

Sec. 7. new text begin EFFECTIVE DATE.
new text end

new text begin (a) This act is effective July 1, 2024.
new text end

new text begin (b) By July 1, 2025, a business must complete a data protection impact assessment for
any online service, product, or feature likely to be accessed by children offered to the public
before July 1, 2024, unless that online service, product, or feature is exempt under paragraph
(c).
new text end

new text begin (c) This act does not apply to an online service, product, or feature that is not offered to
the public on or after July 1, 2024.
new text end