Minnesota app users, web surfers to soon have enhanced privacy rights

State Rep. Steve Elkins admits to some irritation when he would see a privacy notice pop up on his computer screen, only to be told computer users in his home state don’t have the same privacy rights as those in California, Virginia or Colorado.

Those states are part of a national trend toward explicitly requiring websites to give users enhanced privacy rights and tell them what those rights are.

After five years of trying, Elkins succeeded in May in adding Minnesota to that list with bill language that matches other states and, in some instances, exceeds them. Starting next July, Minnesota users can prevent personal data from being sold to data brokers, to block that data from being used to target advertising at them. In the case of sensitive personal data, such as precise location and biometric data, users would have to give permission before it can be used.

At the end of the 2024 session, the Data Privacy Act was bundled along with some other Commerce Committee bills into updates to the recreational cannabis law. That explains why the entire bill passed on a nearly party-line vote. Being combined in the cannabis bill, something Elkins said was done “for legislative economy” — denied the bill a bipartisan endorsement and more public attention.

When the data privacy provisions were in House and Senate committees, they moved with unanimous voice votes, Elkins said.

“I rendered the bill so non-controversial that there was virtually no testimony of any kind during hearings — this year!” joked Elkins, DFL-Bloomington. Sen. Bonnie Westlin, DFL-Plymouth, was the prime sponsor in the Senate.

“Currently, tech companies can collect and sell data such as names, addresses, phone numbers, email addresses, payment information, Social Security numbers and so much more,” Westlin said before the bill passed. “When Minnesotans engage with tech platforms, they deserve to know what data is being collected, where it is being stored, whether it is secure and whether their data is being sold.

“The Minnesota Consumer Data Privacy Act gives Minnesotans rights over their data: the right to access the data, to correct the data … to delete their personal data, to obtain a copy of their data and to opt out of the sale of the data,” she said.

Fines can result from failing to comply.

Related | A look at Minnesota adoption policy change. Is it working?

The tech industry did not oppose the bill but worked with Elkins on some provisions. Mostly, they wanted the Minnesota version to be close to the provisions in other states. (Here’s how Marriott and Adobe inform users of state privacy laws.)

“Our multi-sector coalition is proud to have been one of many stakeholders that have worked on a comprehensive privacy framework that now covers well over 100 million Americans,” wrote Andrew Kingman in a statement about the bill. He is counsel to the State Privacy & Security Coalition, who worked on the bill with Elkins. The coalition consists of technology companies, telecom companies, retailers, car makers, credit card companies and health care.

The first state privacy act in the U.S. passed in California, but Elkins said it was such a rushed effort that it has not been a model for other states. That came when Washington state developed a version a decade ago, and that has become the template that Elkins said he started with.

Ironically, Washington’s draft has been the starting point for 19 states but has not led to passage in that state, due to a dispute over whether individuals could sue sponsors of webpages for violations of the act. Minnesota, like most states, does not allow this “private right of action” but, instead, turns over enforcement to public agencies.

In Minnesota that agency is the attorney general’s office, which is obligated to first send a warning letter and allow 30 days to fix violations before bringing civil actions against data controllers or processors such as data brokers or data analytics businesses. Fines are up to $7,500 per violation, plus reasonable attorney fees.

The new law requires companies that control or process personal data from at least 100,000 consumers or get over 25% of revenue from the sale of personal data to:

• Publish plain English descriptions of their privacy policies, something most already post at the bottom of homepages.
• Protect the privacy of consumer data they possess.
• Keep track of personal data.
• Limit their collection of data to what is necessary to provides goods or services and retain it no longer than is necessary to serve those purposes.
• Identify the employee responsible for administering data privacy.
• Allow consumers to opt out of processing personal data by using what are called universal opt-out mechanisms.

Related | State attorney general asks judge to dismiss lawsuit brought by cannabis home-growers

The same companies would be prohibited from using consumer data to discriminate and from attempting to identify the subjects of anonymous or de-identified consumer data.

Minnesota is one of three states to exempt small businesses from most of the provisions, except for the requirement that they get consumers to opt in before selling sensitive data, defined as personal data in which consumers may have a heightened privacy interest. The law also exempts government entities, including tribal nations, and does not cover nonprofits and colleges until 2029.

Controllers of data would have to respond to consumer requests within 45 days, though reasonable extensions are permitted. Data must be provided without charge up to twice a year.

Elkins said his own work in designing databases and managing data gave him insight into what his bill needed to succeed. He started with a requirement that creators of sites that collect and retain data, called “controllers” in the new law, need to create an inventory of the data they hold.

“If one of the basic responsibilities is to be able to let people see their data, provide a copy of their data and request that it be deleted, the first thing you have to have is an inventory of the data,” Elkins said. “If you don’t know where the consumer’s data is, how can you exercise these responsibilities?”

The law requires that controllers such as Amazon or a hotel company with a membership club only collect the data they need to serve the purposes of the relationship with the consumer. They then must delete the data once they no longer use it, based on an explicit data retention policy.

Jordan Francis, a policy counsel with the Future of Privacy Forum, wrote that the Minnesota law is “among the strongest iterations of the Washington Privacy Act (WPA) framework” and highlighted a unique feature of the Minnesota law — the right to contest the accuracy of data used to make decisions about individuals.

“Minnesota is the first state, however, to offer an additional right with respect to profiling: Where an individual’s data is profiled in furtherance of decisions that produce legal or similarly significant effects, the individual has a right to contest the result of the profiling,” Francis wrote. Those decisions could be employment related or negatively affect the ability to rent housing, get a loan or purchase insurance. If erroneous data has been used, consumers can challenge it similar to how credit ratings can be challenged.

Related | Minnesota raises $10 million in first year from hemp-derived THC sales, but isn’t the industry bigger than that?

The new law also takes a different approach to how precise data collectors can be in figuring out where users are or where they live. Most other states with data privacy laws limit the location data that can be collected and retained. Usually, that means any data that identifies the location of a user more accurately than within 1,750 feet. Anything more precise is considered sensitive data and can only be collected with permission.

Elkins says some users might want their location to be known by the provider — rideshare apps, for example, or navigation services like OnStar or Google Maps. But weather apps just need to be close enough.

The Minnesota law uses a more-specific metric — the latitude and longitude of the phone or computer — and says anything more precise than three decimal points within several blocks of accuracy is classified as sensitive data. Collecting location data with the precision of seven decimal points — well within the capability of a modern cell phone — can locate the device within three inches.

“The device manufacturers are scooping it up,” Elkins said of location data. He said he used a vendor for his last campaign that knew how to target ads only to people in his district and voters who were likely voters. They buy that information from companies with apps that offer a service, such as weather forecasts, that allow them to collect location data.

“You know the old joke is that if you’re not paying for the product, you are the product,” Elkins said. “If the weather app knows that the first thing you do in the morning when you get out of bed is you check the weather, they know this is where this device spends the night.” 

He cited studies that show how much data Google and other data collectors get from an Android phone and the privacy implications of the collection. 

“Google may not know whether you’ve been bad or good but it knows when you’re sleeping and when you’re awake,” stated a Vanderbilt University article on research done by engineering professor Douglas C. Schmidt. “If you use an Android device with the Chrome browser running, the tech giant knows whether you are traveling by foot or car, where you shop, how often you use your Starbucks app and when you’ve made a doctor’s appointment.”

Summaries of the new law by privacy attorneys are here, here and here.

Editor’s note: Peter Callaghan wrote this story for MinnPost.com. Callaghan covers state government for MinnPost.

This article first appeared on MinnPost and is republished here under a Creative Commons license.

MinnPost is a nonprofit, nonpartisan media organization whose mission is to provide high-quality journalism for people who care about Minnesota.