Minnesota - Sectoral Privacy Overview
There is no explicit data privacy provision in the Constitution of the State of Minnesota.
The tort of invasion of privacy has been identified and described in §652 of the Restatement (Second) of Torts (1977) and includes:
- intrusion upon seclusion;
- public disclosure of private facts;
- appropriation of name or likeness; and
- publicly placing a person in false light.
Other torts and causes of action related to privacy may include defamation, assault and battery, trespass, breach of confidentiality, intentional infliction of emotional distress, negligence, and right of publicity.
Common law invasion of privacy
In Lake v. Wal-Mart Stores, Inc. 582 N.W.2d 231 (Minn.Sup. Ct. 1998) the Minnesota Supreme Court recognized a right to privacy in Minnesota and adopted the Restatement definitions for three of the Restatement torts - intrusion upon seclusion, appropriation, and publication of private facts. Minnesota has recognized the invasion of an individual's privacy as a tort action (see Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550 (Minn. 2003)). The most common privacy claims raised by employees against employers are intrusion upon seclusion and publication of private facts. To prove either type of privacy claim, however, the plaintiff must first demonstrate a reasonable expectation of privacy.
Current Minnesota data privacy and security related statutes include the following:
- §325M.01 et seq. of Chapter 325M of the Minnesota Statutes ('Minn Stat.'), which concerns internet privacy;
- §325E.61 of Chapter 325E of the Minn. Stat., which concerns data breach notification ('the Breach Notification Law');
- §325E.64 of Chapter 325E of the Minn. Stat., known as the Plastic Card Security Act;
- §325E.59 of Chapter 325E of the Minn. Stat., which concerns the use of social security numbers;
- §626A.02 of Chapter 626A of the Minn. Stat., which concerns interception and disclosure of communications;
- §609.527 of Chapter 609 of the Minn. Stat., which concerns identity theft and phishing;
- Chapter 13 of the Minn. Stat., known as the Minnesota Government Data Practices Act ('MGDPA');
- §13.055 of Chapter 13 of the Minn. Stat., which concerns data breach notification for government agencies; and
- §13.15 of Chapter 13 of the Minn. Stat., which concerns cookie use on government websites;
Minn. Stat. §325M – Requirements for ISPs
Minnesota imposes confidentiality requirements on internet service providers ('ISPs') with respect to their subscribers. An ISP is required to maintain the confidentiality of its customers' personally identifiable information. According to this Minnesota law, 'personally identifiable information' means information that identifies:
- a consumer by physical or electronic address or telephone number;
- a consumer as having requested or obtained specific materials or services from an ISP;
- Internet or online sites visited by a consumer; or
- any of the contents of a consumer's data storage devices.
A consumer who prevails in an action for a violation of this statute is entitled to $500 or actual damages, whichever amount is greater (Minn. Stat. §325M.07).
Minn. Stat. §609.527 - Identity theft and phishing
The penalties for identity theft range from a misdemeanor to a 20-year felony. The penalties are based on the amount of loss incurred, the number of direct victims involved, or the related offense. Loss is defined as the value obtained and the expenses incurred as a result of the crime. Minnesota law makes it a crime to transfer, possess, or use an identity that is not one's own, with the intent to commit, aid, or abet any unlawful activity, as well as the electronic use of a false pretense to obtain another's identity, often referred to as 'phishing' (Minn. Stat. §609.527(5a)).
Minn. Stat. §§325E.61 and 13.055 - Data breach notification
Any person or business that maintains data that includes personal information that the person or business does not own must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Applicable definitions and requirements under the Breach Notification Law are detailed in the section on data security below.
The MGDPA is unique to Minnesota and regulates the collection, creation, storage, maintenance, dissemination, and access of government data in government entities. It establishes a presumption that government data is public and accessible by the public for both inspection and copying unless there is federal law, a state statute, or a temporary classification of data that provides that certain data is not public. It is similar in purpose to the federal Freedom of Information Act of 1966. In some cases, state universities and the non-profit organizations affiliated with such state-funded universities are considered instrumentalities of the state and covered under the MGDPA.
Minn. Stat. §13.15 - Government websites
Plastic Card Security Act
In 2007 Minnesota became the first state to incorporate a portion of the Payment Card Industry - Data Security Standard into their state data security or data breach laws. Known as the Plastic Card Security Act, the Minnesota law was passed largely in response to the massive data breach at TJX Companies when card issuers were required to reissue millions of debit and credit cards. The Plastic Card Security Act prohibits anyone conducting business in Minnesota from storing sensitive information from credit and debit cards after the transaction has been authorized. The Plastic Card Security Act also makes non-compliant entities liable for financial institutions' costs related to canceling and replacing credit cards compromised in a security breach. As a result, any business that is breached and is found to have been storing 'prohibited' cardholder data (e.g. magnetic stripe, CCV codes, tracking data, etc.) is required to reimburse banks and other entities for costs associated with blocking and reissuing cards.
The Plastic Card Security Act also opens the business up to the potential of private lawsuits. It applies to any 'person or entity conducting business in Minnesota' that accepts credit cards, debit cards, stored value cards, or similar cards issued by financial institutions.
Failure to comply with the Plastic Card Security Act may result in the reimbursement to the card-issuing financial institutions for the 'costs of reasonable actions' to both protect its cardholders' information and to continue to provide services to its cardholders after the breach. Costs may be related to the notification, cancellation, and re-issuance, closing, and reopening of accounts, stopping of payments, and refunds for unauthorized transactions. The financial institution may also bring an action itself to recover the costs of damages it pays to cardholders resulting from the breach.
Minn. Stat. §325E.59 - Use of social security numbers
Minn. Stat. §325E.59 governs the use by non-government agencies of social security numbers in Minnesota. In particular, it prohibits persons or non-government entities from:
- publicly posting or publicly displaying in any manner an individual's social security number, i.e., intentionally communicating or otherwise making available the social security number to the general public;
- printing an individual's social security number on any card required for the individual to access products or services provided by the person or entity;
- requiring an individual to transmit the individual's social security number over the internet, unless the connection is secure or the social security number is encrypted, except as required by Titles XVIII and XIX of the Social Security Act of 1935 and by §483.20 of Subpart B of Part 483 of Subchapter G of Chapter IV of Title 42 of the Code of Federal Regulations ('C.F.R.');
- requiring an individual to use the individual's social security number to access an internet website, unless a password or unique personal identification number or another authentication device is also required to access the internet website;
- printing a number that the person or entity knows to be an individual's social security number on any materials that are mailed to the individual unless state or federal law requires the social security number to be on the document to be mailed. If in connection with a transaction involving or otherwise relating to an individual, a person or entity receives a number from a third party, that person or entity is under no duty to inquire or otherwise determine whether the number is or includes that individual's social security number and may print that number on materials mailed to the individual, unless the person or entity receiving the number has actual knowledge that the number is or includes the individual's social security number;
- assigning or using a number as the primary account identifier that is identical to or incorporates an individual's complete social security number, except in conjunction with an employee or member retirement or benefit plan or human resource or payroll administration; or
- selling social security numbers obtained from individuals in the course of business.
In this context, 'sell' does not include the release of an individual's social security number if the release of the social security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose. The release of a social security number for the purpose of marketing is not a legitimate business purpose in this context.
Notwithstanding the above-listed prohibitions, social security numbers may be included in applications and forms sent by mail, including documents sent as part of an application or enrolment process, or to establish, amend, or terminate an account, contract, or policy, or to confirm the accuracy of the social security number. This does not authorize the inclusion of a social security number on the outside of a mailing or in the bulk mailing of a credit card solicitation offer.
Non-government entities must restrict access to individual social security numbers they hold so that only their employees, agents, or contractors who require access to records containing the numbers in order to perform their job duties have access to the numbers, except as required by Titles XVIII and XIX of the Social Security Act of 1935 and by 42 C.F.R. §483.20.
However, Minn. Stat. §325E.59 does not prevent:
- the collection, use, or release of a social security number as required by state or federal law;
- the collection, use, or release of a social security number for a purpose specifically authorized or specifically allowed by a state or federal law that includes restrictions on the use and release of information on individuals that would apply to social security numbers; or
- the use of a social security number for internal verification or administrative purposes.
Finally, it should be noted that Minn. Stat. §325E.59 does not apply to documents that are recorded or required to be open to the public under Chapter 13 of the Minn. Stat., or by other law.
Minn. Stat. §626A.02 - Interception and disclosure of wire, electronic, or oral communications
Minn. Stat. §626A.02 is nearly identical to the federal wiretapping statute, the Wire and Electronic Communications Interception and Interception of Oral Communications Act under §2511 et seq. of Chapter 119 of Part I of Title 18 of the United States Code, and generally provides that it is legal for a person to record a wire, oral, or electronic communication if that person is a party to the communication, or if one of the parties has consented to the recording, so long as no criminal or tortious intent accompanies the recording.
In Minnesota, the collection, protection, and sharing of protected health information is governed by both the federal Health Insurance Portability and Accountability Act of 1996 ('HIPAA') and the Minnesota Health Records Act ('MHRA') under §144.291 et seq. of Chapter 144 of the Minn. Stat.
Minnesota has a more restrictive law than HIPAA that prohibits healthcare providers from disclosing protected health information for any reason, including treatment and payment, without the express consent of the patient. The MHRA protects data contained in the medical records of individual patients that is collected by healthcare providers, such as doctors, dentists, psychotherapists, nurses, healthcare facilities, and other licensed healthcare professionals. The MHRA addresses the sharing of this recorded data but does not control how it is to be protected or how it is to be transmitted electronically. HIPAA and the HIPAA Privacy Rule, under the HIPAA Security and Privacy Rules of Part 164 of Title 45 of the C.F.R., set the standards for the collection, protection, and sharing of individually identifiable health information for covered entities. Unlike the MHRA, HIPAA does not require consent for treatment or payment purposes.
The Plastic Card Security Act and the Gramm-Leach-Bliley Act of 1999 ('GLBA') are applicable. Among other things, the GLBA regulates the collection, use, protection, and disclosure of non-public personal information by financial institutions. With respect to banks and credit unions, the Consumer Financial Protection Bureau ('CFPB'), the Office of the Comptroller of Currency ('OCC'), the Federal Deposit Insurance Corporation ('FDIC'), and the National Credit Union Administration ('NCUA') are the primary regulators and enforcers of the GLBA. The Federal Trade Commission ('FTC') is the primary enforcer of the GLBA for all financial institutions other than those banking entities.
The definition of 'financial institution' is quite broad and includes businesses that are significantly engaged in providing financial products or services, such as check-cashing businesses, mortgage or nonbank lenders, loan brokers, financial and investment advisors, real estate service providers, insurance, debt collectors, and businesses providing retail financing to consumers. A Minnesota business can also be covered under the GLBA if it collects and maintains financial information for companies that fall directly under the GLBA. Service providers to financial institutions are subject to examination by the regulators and will generally be expected to contractually agree to comply with GLBA requirements.
Federal and Minnesota state law prohibits discrimination both in hiring and in employment on the basis of various legally protected class statuses, including race, colour, creed, religion, national origin, sex, sexual orientation, marital status, disability, genetic information, receipt of public assistance, age, and military service. Most employers are aware of these restrictions and would never consider making a decision on the basis of an employee's protected class status. However, advances in technology have revolutionised both the hiring process as well as the management of current employees. Employers should be aware of the ways in which discrimination laws could be impacted by these changes.
Protected class information
Employers generally may not ask applicants or employees about protected class status. In many cases, an employee's protected class status (such as race or gender) will be apparent to an employer. However, there are many circumstances where an employee's protected disability or religion would not be readily apparent to an employer. Resources available on the internet, particularly social media, can complicate this delicate balance for employers. In conducting an online search or reviewing social media sites of an applicant or an employee, an employer may learn information about the individual's protected class status. While employers in most cases are not prohibited from learning protected class information, they are prohibited from considering protected class information in making hiring and employment decisions. As such, having access to this information through online searches can increase the risk of a discrimination claim. Employers should therefore take special steps to separate the individuals performing searches from the hiring or employment decision process to ensure that protected class information is not shared with or taken into account in the decision-making process.
Special issues for genetic information
The ease in obtaining information about genetic information of employees also raises important employment law considerations for employers. The federal Genetic Information Nondiscrimination Act of 2008 ('GINA') provides that it is an unlawful employment practice for an employer or other covered entity to 'request, require, or purchase genetic information with respect to an employee or family member of the employee' (§202(a) of GINA). GINA defines 'genetic information' broadly, providing that genetic information may include an individual's family medical history or an individual's own disclosure of a genetic condition. Minnesota state law, specifically §181.974 of Chapter 181 of the Minn. Stat., also prohibits discrimination based on genetic information. Since genetic information may be obtained through an online or social media search, employers need to take care not to violate GINA in performing online applicant screening or gathering information about current employees. The Equal Employment Opportunity Commission's ('EEOC') Final Regulations Related to Genetic Discrimination, under §1635.1 et seq. of Part 1635 of Chapter XIV of Subtitle B of Title 29 of the C.F.R., implementing GINA provides some guidance on the acquisition of genetic information about applicants or employees via the internet and social media sites. According to the EEOC, an internet search of an individual that is likely to result in obtaining genetic information constitutes an unlawful 'request' for genetic information, whereas acquisition of information from a social media platform where the employee has given the supervisor permission to access the profile is considered inadvertent (29 C.F.R. §1635.8).
Protected activity laws
Various federal and state laws provide that employers may not take adverse action against applicants or employees based on certain legally protected activities. Accordingly, when online information about employees or applicants reveals protected activities by an individual, employers need to take care to ensure that they do not consider or act on such information in making its hiring or employment decisions.
Lawful consumable products or activities laws
Employers that use the web or social media sites to screen applicants or to monitor employees might uncover information about an individual engaged in alcohol use, smoking, or other lawful activities that an employer might disagree with or prefer the individual not do. Minnesota law prohibits employers from refusing to hire an applicant or taking adverse action against an employee for the consumption of lawful products, such as alcohol or tobacco, away from work during non-working hours. Minnesota law provides exceptions if a restriction on the consumption of lawful consumable products is based on a bona fide occupational requirement or is necessary to avoid a conflict of interest with any responsibilities owed by the employee to the employer. However, employers should act cautiously before taking any action against an applicant or employee on the basis of these narrow exceptions.
In Minnesota, an employer can be liable for negligent hiring if it 'places a person with known propensities, or propensities which should have been discovered by reasonable investigation, in an employment position in which, because of the circumstances of employment, it should have been foreseeable that the hired individual posed a threat of injury to others' (Ponticas v. Investments, 331 N.W.2d 907, 911 (Minn. 1983)). Employers have a 'duty to exercise reasonable care in view of all the circumstances in hiring individuals who, because of the employment, may pose a threat of injury to members of the public' (Ponticas at 911). This has come to be known as a 'sliding scale duty', requiring the employer to decide how much investigation is necessary based on the nature of the position. Because of this potential liability, it is sometimes appropriate for an employer, depending on their business and a particular position's duties, to do a more thorough screening of an applicant's background to try to ensure that the individual does not pose a safety risk or other risks to the business or third parties. Historically, the doctrine of negligent hiring has resulted in employers considering whether it is appropriate to run a criminal background check on applicants. As social media becomes more common, it is possible, although not yet known, that the scope of an employer's duty to investigate job applicants for safety risks may extend to conducting social media or other online searches.
There are no laws in Minnesota that provide for special protections of children's privacy online. However, the federal Children's Online Privacy Protection Act of 1998 ('COPPA') requires operators of websites directed at children under the age of 13 (or websites that knowingly collect information from children under 13) to provide a detailed privacy notice regarding their collection and use of children's data online. COPPA also requires that the operator of the website obtain 'verifiable parental consent' before collecting or using children's information beyond a one-time inquiry. The operator must provide parents with the ability to review the information collected from the child and ask for it to be deleted at any time.
There are no laws in Minnesota that regulate commercial electronic messages. The federal Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 ('CAN-SPAM') governs email communications, while text messages are restricted by the federal Telephone Consumer Protection Act of 1991 ('TCPA').
Personal information: For Minnesota residents, personal information includes first name or first initial and last name plus one or more of the following: social security number, driver's license number or state-issued ID card number, account number, credit card number or debit card number combined with any security code, access code, PIN, or password needed to access an account and generally applies to computerized data that includes personal information. It does not include encrypted data.
Breach: Breach of the 'security system' means any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the person or business.
Content of notice
There is no specific requirement as to the content of the notification.
The notification requirement is triggered upon discovery or notification of a breach of the security of the system. Notification must be in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data. In the event of a breach affecting over 500 people (1,000 for state agencies), consumer reporting agencies must be notified within 48 hours and must be informed of the timing, distribution, and content of the notices sent to Minnesota residents.
The Minnesota Attorney General may enforce this law by seeking injunctive relief and/or a civil penalty not to exceed $25,000.
An exemption from the Breach Notification Law may apply to an entity that is otherwise covered by a federal law such as the GLBA or HIPAA. As noted above, encrypted information is exempt, but the Minnesota statute does not define encryption.
Note that government agencies have different obligations regarding data breach notification that are set forth in Minn. Stat. §13.055.
There have been several data breach class actions involving Minnesota based businesses.
In In re Target Corporation Customer Data Security Breach Litigation, 66 F. Supp. 3d 1154 (D. Minn. 2014) the U.S. District Court for the District of Minnesota found cognisable injury for consumer plaintiffs based on allegations that Target's data breach had resulted in customers incurring unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.
In In re Supervalu, Inc. Customer Data Security Breach Litigation , 870 F.3d 763 (8th Cir. 2017), the U.S. Court of Appeals for the Eighth Circuit ('the Eighth Circuit') found injury-in-fact for allegations of actual identity theft but required additional information related to the increased risk of a threat than those originally alleged in the complaint. In this case, hackers accessed customer financial information from hundreds of retail grocery stores operated by Supervalu. A group of customers sued the stores. The Eighth Circuit held that allegations of the theft of credit card information were insufficient to support standing.
The case stems from class action claims raised against Supervalu by sixteen consumer plaintiffs over the cyberattacks that were consolidated in the U.S. District Court for the District of Minnesota. Fifteen of the sixteen named plaintiffs were previously dismissed on Article III standing grounds, and their dismissal was affirmed on a prior appeal because they failed to plead an actual or imminent injury from the attacks. These plaintiffs then sought to amend the complaint to bolster their injury allegations. The District Court rejected the fifteen plaintiffs' attempt to amend and also held that the sixteenth plaintiff failed to state a claim for which relief could be granted. The Eighth Circuit affirmed, holding that the fifteen plaintiffs' attempt to amend was untimely and that the remaining plaintiff failed to adequately plead his claims for negligence, violations of consumer protection statutes, implied contract, and unjust enrichment under Illinois law. The Eighth Circuit also rejected plaintiff's argument that a company like Supervalu has a duty to protect against the risk that the company itself would be victimized by a third-party criminal cyberattack. In affirming the dismissal for failure to state a claim, the Eighth Circuit refused to recognize a negligence-based duty on the part of companies to protect personal information under Illinois law. In rejecting claims for implied contract and unjust enrichment, the Eighth Circuit disagreed with the argument that Supervalu, merely by accepting payment cards in exchange for groceries, somehow impliedly promised consumers it would protect against cyberattacks or charged them for cybersecurity protection. The Eighth Circuit also held that the fraudulent credit card charge that the plaintiff allegedly experienced was not an actual loss that could give rise to Illinois consumer protection claims (see also Alleruzzo v. SuperValu, Inc., No. 18-1648 (8th Cir. 2019)).
There is no Minnesota state statute requiring data retention or disposal for businesses. The Official Records Act under §15.17 of Chapter 15 of the Minn. Stat. requires government entities to 'make and preserve all records necessary to a full and accurate knowledge of their official activities'. The chief administrative officer of each public agency is responsible for the preservation and care of the agency's records. These records must be passed on to the successors in office so that they can understand why past actions or decisions were made. Records may be kept in any format (e.g., electronic files, paper, photographs, other recordings, etc.).
Minnesota's records management statute, §138.17 of Chapter 138 of the Minn. Stat., requires that each entity keep an inventory of records and a retention schedule approved by both the head of the entity and the records disposition panel. In order to have an official record added to the retention schedule or to determine when an official record not on the schedule must be destroyed, entities must get the approval of the Records Disposition Panel (see also §138.225 of Chapter 138 of the Minn. Stat.).
Government entities that fail to create, preserve, and dispose of official records according to the laws above may not be able to meet their obligations under the MGDPA. For instance, an entity may not be able to respond to a data request properly if official activities have not been recorded. In addition, the MGDPA limits the collection of data on individuals to only that which is necessary to administer and manage programs authorized by law (Minn. Stat. §13.05(3)). It also requires the responsible authority to 'keep records containing government data in such an arrangement and condition as to make them easily accessible for convenient use' (Minn. Stat. §13.03(1)). These two requirements taken with the Official Records Act and the records management statute (Minn. Stat §138.17) ensure that data requests can be fulfilled accurately and within the time limits prescribed by the MGDPA