United States of America: Introduced Consumer Data Privacy Act (HF 2309)

On 28 February 2024, the Consumer Data Privacy Act (HF 2309) was introduced to the Minnesota Legislature. The Act applies to legal entities conducting business in the State of Minnesota or providing products or services to consumers in Minnesota, as long as they either control or process personal data of at least 100,000 consumers, derive at least 25 per cent of gross revenue from the sale of personal data, and process or control personal data of at least 25'000 consumers. The Act outlines several consumer rights, including the right to confirm if a controller is processing personal information and access the categories of personal data that are being processed, the right to correct personal data, the right to delete and obtain personal data, and the right to opt out of the processing of personal data if it is being processed for purposes of targeted advertising, selling of personal data, or profiling. The Act also establishes that the consumer may exercise these rights by request at any time. Legal guardians are allowed to exercise these rights on behalf of their child. Controllers of personal data must allow consumers to opt out of any processing of personal information by sending an opt-out signal. This opting-out mechanism is not allowed to be designed to use a default setting, requiring consumers to freely make an affirmative choice. Lastly, the Act requires controllers to conduct, document, and maintain a data privacy and protection assessment, describing policies that have been adopted in order to comply with this Act.