Press "Enter" to skip to content

Large and Small Privacy Bills Introduced in the Land of 10,000 Lakes (think Mille Lacs vs. Bemidji)

The “Minnesota Consumer Data Privacy Act,” HF 3936, is a walleye-size privacy bill that significantly expands on the California Consumer Privacy Act.  Unlike the CCPA, it does not include a dollar threshold for applicability.

Instead, it would apply to entities conducting business in Minnesota or targeting its residents with products or services that:

  1. control or process personal data of 100,000 consumers; or
  2. derive more than 50 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.

The legislation would provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information.  Additionally, consumers would have the right to correction and data portability.

Specific responsibilities are assigned to “processors“ and “controllers.”  For example, processors would be responsible for adhering to controllers’ contractual instructions, assisting controllers with consumer requests through “technical and organizational measures,” assisting controllers with respect to the security and processing of personal data and breach notification, agreeing to audits by the controller, and ensuring “each person processing the personal data is subject to a duty of confidentiality with respect to the data.

The legislation contains a lengthy section regarding facial recognition, providing in part:

Processors that provide facial recognition services must make available an application programming interface or other technical capability, chosen by the processor, to enable controllers or third parties to conduct legitimate, independent, and reasonable tests of those facial recognition services for accuracy and unfair performance differences across distinct subpopulations . . .

Controllers’ responsibilities would include, in part, providing a CCPA-type privacy notice, establishing the means for submission and authentication of consumers’ requests and conducting and documenting data protection assessments which must be provided to the attorney general upon request.  “Authentication” is defined as “to use reasonable means to determine that a request to exercise any of the rights . . .  is being made by the consumer who is entitled to exercise such rights with respect to the personal data at issue.”

The legislation would provide exemptions for information processed pursuant to the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act (GLBA), as well as pursuant to various other laws.

There would be no private right of action, but the attorney general would have enforcement power including the assessment of civil penalties up to $7,500 per violation.

In contrast, Minnesota HF 3096 is a minnow-size version of the CCPA that would apply to any for-profit business, regardless of whether it “does business” in Minnesota, that:

  1. has annual gross revenue in excess of $25 million;
  2. annually buys or sells the personal information of 50,000 or more consumers, households, or devices; or
  3. derives 50 percent or more of its annual revenues from selling consumers’ personal information.

The legislation would require a notice at collection and provide consumers the right to know and request deletion of personal information collected about them and to opt-out of the sale of their personal information.

Interestingly, the legislation does not specify any particular methods to verify a consumer’s identity with respect to a request, stating only that “a business may require authentication of the consumer’s identity and the request.” 

The legislation does not include any exemptions for businesses or personal information subject to HIPAA, FCRA or GLBA.

The legislation does not provide for a private right of action, but the attorney general could seek damages between $100 and $750 per consumer per violation and treble damages in the event of willful and malicious violations.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.