What MN's new data law means for how your personal information is used

This story was originally published by MinnPost.

You know something is tough to follow when they trot out a mnemonic device.

At a press conference last week and in a subsequent TikTok video, state Attorney General Keith Ellison explained the Minnesota Consumer Data Privacy Act, which went into effect July 31st, with the acronym “LOCKED PLUS.”

“Today’s a good day because your privacy is on lock with this law,” Ellison declared.

Those dying to know what each letter stands for are welcome to click the links above, but it is a bit strained. For L, consumers can get a list of third parties where your data was sold. As for O, you can now opt out of businesses selling your data.

In fairness to the attorney general, online data privacy is a peculiar subject.

On the one hand, the underlying question — How are businesses using my information to hold my attention and shape my desires? — is a significant social issue of our time, the subject of numerous bestselling books and ceaseless handwringing.

On the other hand, understanding public policy around data collection is a chore. It can also feel like a molehill within a mountain of tech companies who understand data collection better than the regulators.

Asked at the press conference if policing online data collection is futile, Ellison responded, “It’s a game we better try to win.”

If not, “We’re going to be so far behind that when things get really bad we might not be able to catch up,” he said.

Here is a primer on the new data privacy law.

What are some of the specific problems that the Consumer Data Privacy Act is trying to solve?

When you enter information on a website or app, be it a credit card number or a password hint of what street you grew up on, the website tends to save that data.

This can lead to data breaches.

Ellison said he has handled half-a-dozen data breach investigations as attorney general. For example, he and other state attorneys general reached a settlement with Marriott last October, after the information of over 130 million hotel guests was hacked.

Another concern is a business selling your data to another business without your consent.

These cases are beginning to be enforced in states with data privacy laws. In California, DoorDash paid a civil penalty of $375,000 for selling the names, addresses and consumer histories of its unwitting clientele.

Rep. Steve Elkins, DFL-Bloomington and the bill author, also noted that websites may collect erroneous data about you, which could lead to a package not being delivered, or being quoted a higher insurance premium.

The Consumer Data Privacy Act addresses each of these concerns in a well-trod way.

“Minnesota’s new law brings it into line with 18 other states that provide their residents with comprehensive consumer data privacy protections,” said Cobun Zweifel-Keegan, Washington D.C. managing director of the International Association of Privacy Professionals, a trade group. “These state privacy laws are pretty consistent with one another, even if you may hear policy discussions about a patchwork of different state laws.”

Websites with data on 100,000 or more Minnesota residents are subject to the law. So are companies who make over 25% of their revenue from selling personal data and gathered data from 25,000 or more Minnesota residents.

Are the businesses being regulated no longer able to collect and store my data?

No. You have to ask them first.

“Consumers must be proactive when exercising their LOCKED rights,” explained Ellison spokesperson Brian Evans.

The way this works is that businesses are required to have a privacy statement on their website or app, Elkins said. Then, you email the company or fill out a form telling them to delete your data.

If the company does not affirmatively respond to the request after 45 days, consumers can make a complaint to the attorney general’s office.

This is also the framework for correcting erroneous data. You can ask a website to provide the data they have on you, and the website has 45 days to reply.

Does having to be proactive apply for all data storage?

No. There is an exception for “personal data,” which the law defines as information about one’s race, religion, and ethnicity plus biometric data, genetic data, and information on where the consumer is using their computer or phone.

In those instances, the website or app must, through a pop-up or other notification, tell you that they are collecting the data, and give you a chance to opt-out.

Similar rules apply for the sale of data. You must be told (and not in some umpteen-thousand word terms-and-conditions waiver but “freely given, specific, limited and unambiguous” consent, per the law) that your data could be sold, but only with your consent.

Are businesses around the world changing their privacy statements and opt-out features to conform to Minnesota’s law?

Not really.

Websites must amend their privacy statements to say certain consumer rights are applicable in Minnesota. Elkins noted that two Minnesota-based companies, Best Buy and Target, already made this change.

But the California Consumer Privacy Act is seven-years old. Most companies have a privacy statement that either already conforms to Minnesota law, or one where the business needs to literally add “MN” and a comma to be in compliance.

“Minnesotans are not likely to notice much of a difference in their online experience overall,” Zweifel-Keegan said.

You keep saying businesses and website operators. Could you be more precise in who is subject to the law? 

Let’s start with who is not subject to the law, which include health care and financial institutions whose data practices are federally regulated. Websites run by government entities or American Indian tribes are also exempt.

And, to review, small businesses collecting data on less than 100,000 Minnesotans or selling the data of less than 25,000 state residents do not have to comply.

And so that leaves … every other data-gathering website and app in the entire world that is accessible in Minnesota.

“The universe of companies that are selling data is very broad,” Elkins said.

Elkins said he wants to write a subsequent bill that would create a registry of companies subject to the law, or at least the ones that sell data.

The idea copies efforts in California, Oregon and Vermont and would provide a “one-stop shopping list for data brokers that are subject to our law, which would make it a lot easier,” Elkins said.

As for now, the state of Minnesota does not know how many companies it is regulating. The sprawling list on the California data registry suggests the answer is “a lot.”

How is this law possibly getting enforced?

The legislation allots a princely $200,000 for law enforcement, which Ellison said he would put toward the hiring of a (very) small legal and investigative team.

Otherwise, enforcement is done via the attorney general fielding complaints. In the Tik-Tok video, Ellison gives Minnesotans a number to call, 651-296-3533.

That said, the road to credibly policing data privacy is not necessarily a dead end, if Minnesota joins states that beefed up enforcement over time.

“We have just begun to see the first enforcement actions brought under these laws in states like California, Texas and Connecticut,” said Zweifel-Keegan of IAFF.

California is perhaps the best example. In 2020, California voters passed Prop 24, greenlighting the creation of the California Privacy Protection Agency.

It was not until 2023 that the agency got off the ground. But once it did, Golden State regulators collected about 3,800 complaints in the first 18 months. This has led to numerous adverse judgments against recognizable brands like DoorDash or Honda, or largely anonymous data brokers.

Said Zweifel-Keegan, “business behavior has certainly changed since comprehensive consumer privacy laws began passing in the United States.”

This article first appeared on MinnPost and is republished here under a Creative Commons Attribution-NoDerivatives 4.0 International License.