Building on the momentum of the California Consumer Privacy Act (“CCPA”), California Privacy Rights Act (“CPRA”), and the Virginia Consumer Data Protection Act (“CDPA”), and the consideration of similar laws in states like Washington and New York, Minnesota’s legislature is debating HF 36, introduced on January 7, 2021, and HF 1492, introduced on February 22, 2021. Significantly, HF 36 grants consumers a private right of action for any violation of its provisions—something that was considered but not ultimately included in the CCPA, which provides for a private right of action only in the event of a data breach. In contrast, HF 1492 joins Virginia’s CDPA by relying on regulatory enforcement and generally pursuing an approach that is closer to Europe’s General Data Protection Regulation (“GDPR”). If passed, HF 36 would take effect on June 30, 2022, and HF 1492, also known as the Minnesota Consumer Data Privacy Act (“MCDPA”) on July 31, 2022.
Applicability and Scope
Both bills would limit coverage to for-profit businesses that meet certain jurisdictional thresholds. Similar to the CCPA, HF 36 uses the terms business, service provider, and third party, and would apply to a “business” that has annual gross revenues in excess of $25,000,000; that annually buys or sells the personal information of 50,000 or more consumers; or that derives 50% or more of the business’s annual revenues from selling consumers’ personal information. HF 36 would also apply to entities that control or are controlled by a “business” that meets those criteria, if it shares branding with the entity. In contrast, The MCDPA follows the GDPR’s terminology, like Virginia’s CDPA, in referring to “controllers”—who determine the purposes and means of the processing of personal data—and “processors” who process personal data on behalf of controllers. The MCDPA’s jurisdictional scope is limited to entities that conduct business in Minnesota or target products or services to Minnesota residents and either annually control or process the personal data of at least 100,000 consumers; or derive more than 25% of their gross revenue from the sale of personal data and process or control the personal data of at least 25,000 consumers.
Both bills have fairly broad definitions of personal information or personal data. HF 36 largely follows the CCPA, encompassing “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular consumer.” Unlike the CCPA, however, it does not explicitly include data that could be linked to particular household or device. Closer to GDPR, MCDPA defines “personal data” as “any information that is linked or reasonably linkable to an identified or identifiable natural person,” which does not include de-identified or publicly available information. In practice, this would make the potential universe of personal data similar for both bills.
Both bills define “consumer” as “a natural person.” Unlike HF 36, however, the MCDPA, limits a “consumer” to “a natural person who is a Minnesota resident acting only in an individual or household context.” That definition excludes individuals who are residents of other states and those acting in a “commercial or employment context.”
Transparency and Notice
Collection and Use of Data
Both bills require businesses to use data only in the ways they disclose to consumers. Under HF 36, if the business wishes to collect additional categories or use/disclose the data for other purposes, it must issue a new notice of collection to consumers. Under the MCDPA, the “use of data” restrictions impose three separate obligations on controllers. First, a controller must only collect and process personal data that is “reasonably necessary” to accomplish the purposes of the processing. The consumer must give consent for personal data to be processed for any purpose that is not “reasonably necessary” or “compatible” with the purposes disclosed to the consumer. Second, controllers must incorporate “reasonable” administrative, technical, and physical data security practices that are “appropriate to the volume and nature of the personal data at issue.” Finally, controllers are barred from processing sensitive data without the consumer’s consent (or that of a child’s parent or guardian). Sensitive data falls into any of the following four categories: (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data that uniquely identifies a natural person; (iii) personal data of a known child; or (iv) specific geolocation data
HF 36 and the MCDPA both prohibit businesses/controllers from discriminating against consumers who exercise their privacy rights granted by the bills. In addition, the MCDPA prohibits controllers from processing personal data based on enumerated elements such as race and national origin in an unlawfully discriminatory manner.
Data Protection Assessments
Only the MCDPA requires controllers to perform mandatory data protection assessments when the processing of personal data involves: targeted advertising; selling personal data; sensitive data; “heightened risk of harm to consumers;” and profiling that creates a “reasonably foreseeable risk” of certain harms to consumers such as unfair or deceptive treatment or financial, physical, or reputational injury, among others. The MDCA explicitly requires that the data protection assessment consider the potential benefits of the processing in light of the risks to consumers’ rights. If at any point a controller is investigated by the attorney general, the data protection assessments must be produced upon request.
Third Parties, Service Providers, and Processors
Both bills limit how third parties, including service providers/processors can use data that is shared with them. Under HF 36, third parties that purchase personal information cannot sell that information unless they provide consumers with explicit notice and an opportunity to opt out of the sale. The bill defines sale similar to the CCPA to include sharing personal information “for any monetary or other valuable consideration,” but unlike CCPA, which includes the disclosure of personal information in defining a sale, HF 36 expressly states that “sell does not include disclose.”
In addition, similar to CCPA and GDPR, HF 36 and MCDPA both require businesses to have a contract in place with their service providers. Under HF 36, the contract must prohibit the service provider from “retaining, using, or disclosing the personal information for any purpose other than the specific purpose of performing the services specified in the contract for the business” or as otherwise permitted by law. Under the MCDPA the contract between the controller and processor must contain binding instructions for the processor regarding the nature and purpose of the processing, the type of personal data that will be processed, the duration of the processing, and each party’s rights and obligations. Other required elements include end of contract terms for the return or deletion of personal data and a provision obligating the processor to permit reasonable audits and inspections by the controller or an auditor selected by the controller. In addition to following the controller’s instructions, a processor must help the controller fulfill its statutory obligations. Independently, processors must ensure that all persons who process personal data abide by a duty of confidentiality.
HF 36 and the MCDPA both provide several rights to consumers regarding their personal information. HF 36 grants consumers the rights to access personal information, opt out of the sale of personal information, and delete personal information. In addition, a business that sells a consumer’s personal information to a third party must, at or before the point of sale, inform the consumer of: the categories of personal information that may be sold; the categories of third parties to which the personal information may be sold and the commercial purpose for the sale; and the consumer’s right to opt out of the sale. Businesses must provide two or more designated methods for consumers to exercise their rights to access and deletion as well as to opt out of sales, including a toll-free telephone number. Businesses that operate a website must post a clear and conspicuous link on the home page permitting consumers to submit access and deletion requests, and businesses that also sell personal information must post a clear and conspicuous “Do Not Sell My Personal Information” link on the home page. The MCDPA provides consumers with the rights to confirm whether a controller is processing their personal data and access data the controller is processing; correct inaccurate personal data; delete personal data; obtain personal data in a portable and readily usable format (data portability); and opt out of processing for targeted advertising, sale of personal data, or certain kinds of profiling. Controllers are required to offer one or more methods for consumers to exercise their rights up to two times each year, free of charge. Consumers cannot exercise their rights to access, correction, deletion, or portability if the controller meets certain conditions, including not being reasonably capable of associating the request with the personal data and not selling the data.
Unlike the CCPA and the MCDPA, both of which exempt personal information subject to certain federal laws such as the Gramm-Leach-Bliley Act (“GLBA”) and the Health Insurance Portability and Accountability Act (“HIPPA”), HF 36 offers no such exemptions.
The two bills differ in means of enforcement and liability. Under the MCDPA only the state attorney general (AG) can bring a civil action against a controller or processor. The AG can impose an injunction and recover a penalty of up to $7,500 for each violation after a 30-day window is provided for the business to cure any violations. While a private right of action is absent from the current draft of MCDPA, amendments adding such a right are reportedly circulating. HF 36 already includes a provision granting consumers a private right of action in addition to AG enforcement. Damages range from $100 to $750 per consumer, per violation, or actual damages, whichever is greater. Investigation costs, reasonable attorney fees, and other equitable relief determined by the court are also available. For violations deemed “willful and malicious,” exemplary damages are recoverable “in an amount not exceeding three times other damages awarded.”
State legislatures across the country continue to introduce data protection bills focused on a number of critical issues, including consumer rights, data security, and biometric information. Recent months have seen important legislative proposals in states such as New York, Florida, and Washington, and we could well see several more new state privacy laws in 2021.