The following law(s) specifically govern personal data / information:
Except for data breach notification statutes Minnesota has no state law like California Consumer Privacy Act that covers personal data.
There is no explicit data privacy provision in the Minnesota State Constitution.
Tort Law. The tort of invasion of privacy has been identified and described in the Restatement (Second) of Torts § 652 (1977) (“Restatement”) and includes: 1) intrusion upon seclusion; 2) public disclosure of private facts; 3) appropriation of name or likeness; and 4) publicly placing a person in false light. Other torts and causes of action related to privacy may include defamation, assault and battery, trespass, breach of confidentiality, intentional infliction of emotional distress, negligence, and right of publicity.
Common Law Invasion of Privacy. In Lake v. Wal-Mart Stores, Inc. 582 N.W.2d 231 (Minn.Sup. Ct. 1998), the Minnesota Supreme Court recognized a right to privacy in Minnesota, and adopted the Restatement definitions for three of the Restatement torts - intrusion upon seclusion, appropriation, and publication of private facts. Minnesota has recognized invasion of an individual’s privacy as a tort action. [See Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550 (Minn. 2003).] The most common privacy claims raised by employees against employers are intrusion upon seclusion and publication of private facts. To prove either type of privacy claim, however, the plaintiff must first demonstrate a reasonable expectation of privacy.
Minn. Stat. § 325M.01 Internet Service Providers
Minn. Stat. § 609.527 Identity Theft/Phishing
Minn. Stat. § 325E.61 Data Breach Notification
Minn. Stat. § 13.055 Data Breach Notification (Government Agencies)
Minn. Stat. § 13.0 Minnesota Government Data Practices Act
Minn. Stat. § 13.15 Government Websites
Minn. Stat. § 325E.64 Plastic Card Security Act
Minn. Stat. § 325E.59 Social Security Numbers
Minn. Stat. § 626A.02 Interception and Disclosure of Wire, Electronic, Or Oral Communications Prohibited
The key data protection principles in this jurisdiction are:
No general principles.
The supervisory authority / regulator in charge of data protection is:
No central data privacy supervisory authority or regulator except for Minnesota Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
No registration required.
Is there a requirement to notify the supervisory authority / regulator?
No registration required.
Is it possible to register with / notify the supervisory authority / regulator online?
The key data subject rights under the data protection laws of this jurisdiction are:
No key rights except for notice in the event of a data breach.
Is there a requirement to appoint a data protection officer (or equivalent)?
No statutory requirement for a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Not currently, but some proposed legislation has included such requirement similar to one in the EU General Data Protection Regulation.
Does this jurisdiction have any specific data breach notification requirements?
Minn. Stat. §§ 325E.61 and 13.055 Data Breach Notification
Any person or business that maintains data that includes personal information that the person or business does not own must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
- Definition of Personal Information. For Minnesota residents, personal information includes first name or first initial and last name plus one or more of the following: social security number, driver’s license number or state issued ID card number, account number, credit card number or debit card number combined with any security code, access code, PIN, or password needed to access an account and generally applies to computerized data that includes personal information. It does not include encrypted data.
- Definition of Breach. Breach of the “security system” means any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the person or business.
- Content of Notice. There is no specific requirement as to content of the notification.
- Timing. The notification requirement is triggered upon discovery or notification of a breach of the security of the system. Notification must be in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data. In the event of a breach affecting over 500 people (1,000 for state agencies), consumer reporting agencies (CRA) must be notified within 48 hours and must be informed of the timing, distribution, and content of the notices sent to Minnesota residents.
- Penalty. The Minnesota Attorney General may enforce this law by seeking injunctive relief and/or a civil penalty not to exceed $25,000.
- Exemptions. An exemption from this notification statute may apply to an entity that is otherwise covered by a federal law such as the GLBA or HIPAA. As noted above, encrypted information is exempt but the Minnesota statute does not define encryption. Note that government agencies have different obligations regarding data breach notification that are set forth in Minn. Stat. § 13.055 Data Breach Notification (Government Agencies).
The following restrictions apply to the international transfer of personal data / information:
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
The following rules specifically deal with marketing:
There are no rules that are specific to marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
The following rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc):
No state laws. Federal laws such as CAN-SPAM and TCPA apply.
The following rules specifically deal with cookies:
No specific state laws.
The consequences of non compliance with data protections laws (including marketing laws) are:
There is no state regulator except for the Minnesota Attorney General who may impose fines under the data breach notification statutes discussed above.
In broad terms, multinational organisations should be aware of the following key factors if they process personal data / information from individuals within this jurisdiction, without being located there:
Minn. Stat. § 325E.64 Plastic Card Security Act
In 2007 Minnesota became the first state to incorporate a portion of the PCI-DSS into their state data security or data breach laws. Known as the Plastic Card Security Act, the Minnesota law was passed largely in response to the massive data breach at TJX Companies when card issuers were required to reissue millions of debit and credit cards. The Minnesota law prohibits anyone conducting business in Minnesota from storing sensitive information from credit and debit cards after the transaction has been authorized. The law also makes noncompliant entities liable for financial institutions costs related to cancelling and replacing credit cards compromised in a security breach. As a result, any business that is breached and is found to have been storing “prohibited” cardholder data (e.g., magnetic stripe, CCV codes, tracking data, etc.) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up the business to the potential of private lawsuits. This law applies to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards, or similar cards issued by financial institutions. Failure to comply with the law may result in the reimbursement to the card-issuing financial institutions for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after the breach. Costs may be related to the notification, cancellation and reissuance, closing and reopening of accounts, stop payments, and refunds for unauthorized transactions. The financial institution may also bring an action itself to recover the costs of damages it pays to cardholders resulting from the breach.
Multinational organisations should be aware of the following upcoming data protection developments:
Nothing unique or special about Minnesota. However, there have been bills introduced that are similar to the California Consumer Privacy Act and proposed Washington state legislation.