Minn. Stat. § 325O.02

Current through Register Vol. 49, No. 8, August 19, 2024
Section 325O.02 - [As Added by 2024Minn. Laws, ch.121] [Effective 7/31/2025] DEFINITIONS
(a) For purposes of this chapter, the following terms have the meanings given.
(b) "Affiliate" means a legal entity that controls, is controlled by, or is under common control with another legal entity. For purposes of this paragraph, "control" or "controlled" means: ownership of or the power to vote more than 50 percent of the outstanding shares of any class of voting security of a company; control in any manner over the election of a majority of the directors or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.
(c) "Authenticate" means to use reasonable means to determine that a request to exercise any of the rights under section 325O.05, subdivision 1, paragraphs (b) to (h), is being made by or rightfully on behalf of the consumer who is entitled to exercise the rights with respect to the personal data at issue.
(d) "Biometric data" means data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual. Biometric data does not include:
(1) a digital or physical photograph;
(2) an audio or video recording; or
(3) any data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific individual.
(e) "Child" has the meaning given in United States Code, title 15, section 6501.
(f) "Consent" means any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer. Acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. A consent is not valid when the consumer's indication has been obtained by a dark pattern. A consumer may revoke consent previously given, consistent with this chapter.
(g) "Consumer" means a natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context.
(h) "Controller" means the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.
(i) "Decisions that produce legal or similarly significant effects concerning the consumer" means decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health care services, or access to essential goods or services.
(j) "Dark pattern" means a user interface designed or manipulated with the substantial effect of subverting or impairing user autonomy, decision making, or choice.
(k) "Deidentified data" means data that cannot reasonably be used to infer information about or otherwise be linked to an identified or identifiable natural person or a device linked to an identified or identifiable natural person, provided that the controller that possesses the data:
(1) takes reasonable measures to ensure that the data cannot be associated with a natural person;
(2) publicly commits to process the data only in a deidentified fashion and not attempt to reidentify the data; and
(3) contractually obligates any recipients of the information to comply with all provisions of this paragraph.
(l) "Delete" means to remove or destroy information so that it is not maintained in human- or machine-readable form and cannot be retrieved or utilized in the ordinary course of business.
(m) "Genetic information" has the meaning given in section 13.386, subdivision 1.
(n) "Identified or identifiable natural person" means a person who can be readily identified, directly or indirectly.
(o) "Known child" means a person under circumstances where a controller has actual knowledge of, or willfully disregards, that the person is under 13 years of age.
(p) "Personal data" means any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include deidentified data or publicly available information. For purposes of this paragraph, "publicly available information" means information that (1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public.
(q) "Process" or "processing" means any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means, including but not limited to the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.
(r) "Processor" means a natural or legal person who processes personal data on behalf of a controller.
(s) "Profiling" means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
(t) "Pseudonymous data" means personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
(u) "Sale," "sell," or "sold" means the exchange of personal data for monetary or other valuable consideration by the controller to a third party. Sale does not include the following:
(1) the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
(2) the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
(3) the disclosure or transfer of personal data to an affiliate of the controller;
(4) the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
(5) the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
(6) the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer's agents.
(v) Sensitive data is a form of personal data. "Sensitive data" means:
(1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
(2) the processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
(3) the personal data of a known child; or
(4) specific geolocation data.
(w) "Specific geolocation data" means information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates. Specific geolocation data does not include the content of communications, the contents of databases containing street address information which are accessible to the public as authorized by law, or any data generated by or connected to advanced utility metering infrastructure systems or other equipment for use by a public utility.
(x) "Targeted advertising" means displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests. Targeted advertising does not include:
(1) advertising based on activities within a controller's own websites or online applications;
(2) advertising based on the context of a consumer's current search query or visit to a website or online application;
(3) advertising to a consumer in response to the consumer's request for information or feedback; or
(4) processing personal data solely for measuring or reporting advertising performance, reach, or frequency.
(y) "Third party" means a natural or legal person, public authority, agency, or body other than the consumer, controller, processor, or an affiliate of the processor or the controller.
(z) "Trade secret" has the meaning given in section 325C.01, subdivision 5.

Minn. Stat. § 325O.02

Added by 2024 Minn. Laws, ch. 121,s 5-3, eff. 7/31/2025.