Businesses face new obligations under web of privacy laws

Privacy has become an increasingly central issue for individuals and businesses. For individuals, a confluence of events has focused attention on how businesses use their personal information. Whether it is massive data breaches, headline-making scandals like the Snowden revelations, all-too-prescient ads served up on internet sites and social media, or wearable technologies that track every breath and heartbeat, concern is growing about the consequences of living life online.

For their part, businesses recognize that personal information is a valuable asset. It can be mined to gain useful insight on customer preferences, used to improve products and services, analyzed to create targeted advertising, and monetized into new revenue streams. But with new opportunity has come new obligation through a spate of recent privacy laws.

The European Union (E.U.) led the way with its passage of the General Data Protection Regulation (GDPR), which became effective in May 2018. With rights designed to give individuals more control over their information, significant compliance obligations for businesses, and potentially massive fines — $27.4 million or 4% of annual worldwide revenue — the GDPR ushered in a new era of privacy regulation.

Not to be outdone, California followed suit in June 2018, passing the similarly-onerous California Consumer Privacy Act. Then, in March, Virginia became the second state to enact comprehensive privacy legislation with its Consumer Data Protection Act, which is modeled after the E.U. and California's laws. Now, Minnesota is thinking about entering the fray.

On Feb. 22, Rep. Steve Elkins, DFL-Bloomington, introduced the Minnesota Consumer Data Privacy Act, making Minnesota the 17th state actively considering similar legislation. Minnesota's bill borrows from the E.U.'s GDPR, California's law, and another proposed bill before Washington's Legislature.

The bill provides new rights to Minnesota residents acting in "an individual or household context," but not as employees. These include the right to:

• access from a business the information it has collected about the individual or to confirm the categories of information the business has processed;

• request that the business delete the individual's personal information;

• obtain copies of personal information that a business may have in a portable, usable and transferrable format; and,

• opt out of the sale of the individual's personal information to third parties, the processing of personal information for the purpose of target advertising or certain types of profiling.

The bill imposes corresponding obligations on entities, regardless of location, provided they conduct business in Minnesota or produce or target services at Minnesota residents, and meet specific thresholds — for instance, during a calendar year, processing personal information on 100,000 Minnesota residents or more.

The Minnesota attorney general is responsible for enforcement under the bill. Any enforcement must be preceded by a written notification and 30-day cure period. Violations that are not cured in a timely manner could be subject to civil penalties of up to $7,500 per violation. Because violations could be on a per-individual basis, potential penalties may aggregate rapidly. Businesses subject to the bill would have until July 31, 2022, to come into compliance. Nonprofits would have until July 31, 2026.