Minn. Stat. § 325O.05

Current through Register Vol. 49, No. 8, August 19, 2024
Section 325O.05 - [As Added by 2024Minn. Laws, ch.121] [Effective 7/31/2025] CONSUMER PERSONAL DATA RIGHTS
Subdivision 1. Consumer rights provided.
(a) Except as provided in this chapter, a controller must comply with a request to exercise the consumer rights provided in this subdivision.
(b) A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing.
(c) A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.
(d) A consumer has the right to delete personal data concerning the consumer.
(e) A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
(f) A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
(g) If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
(h) A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.
Subd. 2. Exercising consumer rights.
(a) A consumer may exercise the rights set forth in this section by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise.
(b) In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise the rights of this chapter on the child's behalf.
(c) In the case of processing personal data concerning a consumer legally subject to guardianship or conservatorship under sections 524.5-101 to 524.5-502, the guardian or the conservator of the consumer may exercise the rights of this chapter on the consumer's behalf.
(d) A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale under subdivision 1, paragraph (f), on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.
Subd. 3. Universal opt-out mechanisms.
(a) A controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale. The platform, technology, or mechanism must:
(1) not unfairly disadvantage another controller;
(2) not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data;
(3) be consumer-friendly and easy to use by the average consumer;
(4) be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
(5) enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. For purposes of this paragraph, the use of an Internet protocol address to estimate the consumer's location is sufficient to determine the consumer's residence.
(b) If a consumer's opt-out request is exercised through the platform, technology, or mechanism required under paragraph (a), and the request conflicts with the consumer's existing controller-specific privacy setting or voluntary participation in a controller's bona fide loyalty, rewards, premium features, discounts, or club card program, the controller must comply with the consumer's opt-out preference signal but may also notify the consumer of the conflict and provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program.
(c) The platform, technology, or mechanism required under paragraph (a) is subject to the requirements of subdivision 4.
(d) A controller that recognizes opt-out preference signals that have been approved by other state laws or regulations is in compliance with this subdivision.
Subd. 4. Controller response to consumer requests.
(a) Except as provided in this chapter, a controller must comply with a request to exercise the rights pursuant to subdivision 1.
(b) A controller must provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights under this section. The means made available must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests.
(c) A controller may not require a consumer to create a new account in order to exercise a right, but a controller may require a consumer to use an existing account to exercise the consumer's rights under this section.
(d) A controller must comply with a request to exercise the right in subdivision 1, paragraph (f), as soon as feasibly possible, but no later than 45 days of receipt of the request.
(e) A controller must inform a consumer of any action taken on a request under subdivision 1 without undue delay and in any event within 45 days of receipt of the request. That period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay.
(f) If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in subdivision 5.
(g) Information provided under this section must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
(h) A controller is not required to comply with a request to exercise any of the rights under subdivision 1, paragraphs (b) to (e) and (h), if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief.
(i) In response to a consumer request under subdivision 1, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information:
(1) Social Security number;
(2) driver's license number or other government-issued identification number;
(3) financial account number;
(4) health insurance account number or medical identification number;
(5) account password, security questions, or answers; or
(6) biometric data.
(j) In response to a consumer request under subdivision 1, a controller is not required to reveal any trade secret.
(k) A controller that has obtained personal data about a consumer from a source other than the consumer may comply with a consumer's request to delete the consumer's personal data pursuant to subdivision 1, paragraph (d), by either:
(1) retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of this chapter; or
(2) opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of this chapter.
Subd. 5. Appeal process required.
(a) A controller must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the rights under subdivision 1 within a reasonable period of time after the consumer's receipt of the notice sent by the controller under subdivision 4, paragraph (f).
(b) The appeal process must be conspicuously available. The process must include the ease of use provisions in subdivision 3 applicable to submitting requests.
(c) Within 45 days of receipt of an appeal, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay.
(d) When informing a consumer of any action taken or not taken in response to an appeal pursuant to paragraph (c), the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general.

Minn. Stat. § 325O.05

Added by 2024 Minn. Laws, ch. 121,s 5-6, eff. 7/31/2025.