Last reviewed November 2023

Minnesota Issue Guide
Privacy

This guide is compiled by staff at the Minnesota Legislative Reference Library on a topic of interest to state legislators. It introduces the topic and points to sources for further research. It is not intended to be exhaustive.

Legislative History  •  Books and Reports  •  Articles  •  Internet Resources
Additional Library Resources •  Federal Legislation

State policy makers face the fundamental question of how to strike a balance between the free flow of public information and the protection of personal information. Privacy advocates feel consumers should have the opportunity to choose how (or whether) their personal information is used by the businesses and government agencies with whom they have direct contact - or by third parties. Over the past decade, debate over license-plate readers, cell-phone tracking devices, REAL ID, identity theft, telecommunications, financial institutions' sharing of customer data, medical records privacy, government records, and telemarketing have been at the forefront.

In 2014, Minnesota lawmakers introduced dozens of bills aimed at addressing growing concerns over mass surveillance programs and personal data privacy. Some of the legislation reflected consumer protection efforts in response to the largest data breach on record. Rep. Mary Liz Holberg and Sen. Scott Dibble authored legislation creating the Legislative Commission on Data Practices and Personal Data Privacy (HF2120/SF2066*/CH193). The Commission's role is to study issues relating to government data practices and individuals’ personal data privacy rights, and to review legislation impacting data practices, data security, and personal data privacy. The only reform enacted in 2014 was chapter 278 (SF 2466) requiring law enforcement agencies to obtain a court order before using high-tech snooping devices such as Kingfish and Stingray, which track people's movements via their cellphones. The bill passed easily through both chambers.

2015 saw the controversial passage of requirements for the use of police-worn body cameras. In the end, Governor Dayton promised to sign the bill only if the provision allowing peace officers to review body camera recordings before writing their reports was removed. Another contentious issue involving privacy and police resulted in legislators approving a bill limiting the amount of data that can be gathered by automated license plate readers (APLRs). For much more on the discussion, see "New Law Puts Limits on License Plate Readers" from the House Public Information Office.

Legislative discussions in 2016 centered around two areas of data privacy. The Uniform Fiduciary Access to Digital Assets Act was originally drafted by the Uniform Law Commission, and then introduced as HF200 /SF476. Under it, a designated fiduciary would be able to gain access to the digital account records of deceased or incapacitated persons, in most cases. The language was eventually added to HF1372, a bill that made changes to Minnesota probate code and various other provisions and became law as chapter 135.

Minnesota lawmakers repealed a 2009 prohibition in 2016 that prevented state agencies from planning how to comply with the 2005 federal law related to Real ID (HF1732/ SF1646*). However legislators could not come to a resolution on how to bring the state's licenses into compliance with the federal Real ID law. At the time, Minnesotans could not use their driver's licenses to access federal facilities, such as nuclear plants and military bases. Concerns over whether Minnesotans would be allowed to board commercial flights using their existing Minnesota drivers' licenses were alleviated when that restriction was delayed until 2018. Conferees on HF3959/SF3589* had agreed to the Senate’s preferred implementation timeline of January 2018, but in the final days of session could not come to agreement on House language that would specifically prohibit undocumented immigrants from obtaining a Minnesota driver’s license. For more background see "House, Senate Versions of Real ID Bill Likely Headed to Conference", from the House Public Information Office, May 17, 2016.

In 2017, Minnesota lawmakers adopted compliance legislation for implementation of Federal REAL ID requirements. The 2017 Jobs and economic development bill, chapter 94 (HF1620/ SF1456*) involved discussion on whether to include an amendment that would require internet service providers (ISP) who use equipment subject to a franchise agreement, right of way agreement or other contract with the State of Minnesota or local unit of government, to obtain a consumer's explicit consent before selling or sharing Web browsing data and other private information with advertisers and other companies. Rep. Paul Thissen offered the amendment on the heels of action by the U.S. Congress to eliminate broadband privacy rules that would have required ISPs to get consumers' such explicit consent. The amendment was ultimately excluded. 

In 2021, Minnesota joined a growing list of states to consider a more comprehensive approach to consumer data privacy regulation. Minnesota's legislation (HF1492/SF1408) borrows language from the E.U.'s General Data Protection Regulation (GDPR), the California Privacy Rights Act, and legislation introduced in the state of Washington, Senate Bill 5062 (2021). The legislation did not pass, however in 2021, the Legislative Commission on Data Practices was reconstituted as a fully funded, independent legislative panel. The Commission is a continuation of the Legislative Commission on Data Practices and Personal Data Privacy that was established by Laws 2014, chapter 193 and expired June 30, 2019. The LCC Subcommittee on Data Practices replaced the Commission from June 19, 2019 to January 1, 2021. 

Minnesota is among the more than 30 states that have created a statewide cybersecurity task force, commission or advisory council or similar group in the past several years. The Minnesota Legislative Commission on Cybersecurity, established in 2021 (Minnesota Statutes 3.888), reviews the policies and practices of state agencies with regard to cybersecurity and may recommend changes in policy to adequately protect the state from cybersecurity threats.

A selection of reports and resources that explore the many facets of privacy concerns in Minnesota are presented below.

Legislative History

Minnesota Government Data Practices - Minnesota Statutes, chapters 13, 13A, 13B, 13C [See Laws of Minnesota 1979, chapter 328, section 1, Laws of Minnesota 1974, chapter 479 and Privacy of Communications Act: Laws of Minnesota 1969, chapter 953.]

Recent Session Laws on the Topic

• Laws of Minnesota 2014, chapter 278, section 2 - Government Access to Electronic Device Location Information (SF2466*/HF2288)
• Laws of Minnesota 2014, chapter 193 - Legislative Commission on Data Practices and Personal Data Privacy (SF2066*/HF2120)
• Laws of Minnesota 2015, chapter 171 - Police-worn Body Cameras (SF498*/HF430)
• Laws of Minnesota 2015, chapter 67 - Automated License Plate Readers (HF222/SF86*)
• Laws of Minnesota 2016, chapter 135, article 2, sections 2-20 - Revised Uniform Fiduciary Access to Digital Assets Act (HF1372*/SF1196)
• Laws of Minnesota 2016, chapter 83 - REAL ID Act Plan for Implementation (HF1732/SF1646*)
• Laws of Minnesota 2016, chapter 126 - Dissemination of private sexual images: Revenge Porn (HF2741/SF2713*)
• Laws of Minnesota 2017, chapter 76 - Compliance with Federal REAL ID Act Requirements (HF3*/SF166) 
• Laws of Minnesota 2017, chapter 83 - Prohibits the use of ignition interlock devices enabled with location tracking (HF179*/SF347)
• Laws of Minnesota 2018, chapter 140 - Agricultural research data collection classification (HF2982*/SF2550)
• Laws of Minnesota 2018, chapter 152 - The state will count birth defects in stillborn babies when tabulating birth defects under existing state law. Requires the Department of Health to inform parents of a child with birth defects of “the privacy implications” of the department maintaining records about their child. (HF3689*/SF2662)
• Laws of Minnesota 2018, chapter 158 - Protecting children from identity theft (HF1243*/SF1811)
• Laws of Minnesota 2021, chapter 15 - State Lottery prize winner name made private (SF151*/HF832)
• Laws of Minnesota 2021, chapter 25 - Identity theft crime technical change authorization (HF809*/SF104)
• Laws of Minnesota 2021, 1st special session, chapter 4, article 3, section 6 - Insurance: Information security program (HF6*/SF19)
• Laws of Minnesota 2021, 1st special session, chapter 11, article 3, sections 1, 36 - Legislative Commission on Data Practices and Personal Data Privacy (HF63)
• Laws of Minnesota 2021, 1st special session, chapter 12, article 2, section 1 - Created the Legislative Commission on Cybersecurity (SF2*/HF12)
• Laws of Minnesota 2022, chapter 47 - Protecting data about individuals who seek mental or behavioral health assistance. (HF3217*/SF3585)
• Laws of Minnesota 2023, chapter 52, article 4, section 17 - Strengthens laws prohibiting surreptitious observation or photographing that invades a person’s privacy. (SF2909*/HF2890)

Significant Books and Reports

Busch, Kristen E. TikTok: Recent Data Privacy and National Security Concerns. Washington, D.C., Congressional Research Service, March 29, 2023.

Citron, Danielle K. The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age. New York, NY: W.W. Norton & Company, 2022. (KF1262 .C58 2022).

Cleveland, Emily. Genetic Privacy Law and the Bearder Case. St. Paul: Research Department, Minnesota House of Representatives, 2013. (KFM5862.5.P8 C54 2013)

Fasman, Jon. We See it All: Liberty and Justice in an Age of Perpetual Surveillance. New York, NY: Public Affairs, 2021. (HM846.F37 2021)

Gajda, Amy. Seek and Hide: The Tangled History of the Right to Privacy. New York, NY: Viking, 2022. (KF1262.G35 2022)

Gehring, Matt. Criminal Background Checks: An Overview of Minnesota Law. St. Paul: Research Dept., Minnesota House of Representatives, Updated February 2014. (HF5549.5.E429 M45 2014)

Gehring, Matt. Minnesota Government Data Practices Act: A Data Privacy Overview. St. Paul: Research Dept., Minnesota House of Representatives, Updated 2010. (KFM5862.6.A25 M35 2010)

Genetic Information in Minnesota: A Report to the Minnesota Legislature. St. Paul: Minnesota Dept. of Administration, 2009. (KFM5862.5.P8 M56 2009)

Guarding your Privacy: Tips to Prevent Identity Theft. St. Paul: Minnesota Attorney General, 2021. (HV6679.G83 2021)

Igo, Sarah E. The Known Citizen: A History of Privacy in Modern America. Cambridge, MA: Harvard University Press, 2018. (BF637.P74 I38 2018)

Johnson, Ben and Mullen, Mary. The Internet and Public Policy: Criminal Activity on the Internet. St. Paul: Research Dept., Minnesota House of Representatives, 2018. (KF390.5.C6 J64 2018)

Kesan, Jay P. and Hayes, Carol M. Cybersecurity and Privacy Law in a Nutshell. St. Paul: West Academic Publishing, 2019. (KF390.5.C6 K475 2019)

Lane, Julia I. Privacy, Big Data, and the Public Good: Frameworks for Engagement. New York, NY: Cambridge University Press, 2014. (JC596 .P747 2014)

Larson, Lisa. Federal and State Laws Governing Access to Student Records. St. Paul: Research Department, Minnesota House of Representatives, December 2015. 

A Legal Guide to Privacy and Data Security. St. Paul: Minnesota Department of Employment and Economic Development and Lathrop GPM, 2023. (KF1262.L43 2023)

MacCarthy, Mark. Regulating Digital Industries: How Public Oversight Can Encourage Competition, Protect Privacy, and Ensure Free Speech. Washington, D.C.: Brookings Institution Press, 2023. (K564.C6 M33 2023)

The Minnesota Newborn Screening Programs. St. Paul: Research Department, Minnesota House of Representatives, 2022. (RJ255.5 M566 2022)

Mullen, Mary. The Internet and Public Policy: Challenges and Policy Considerations for State Regulation. St. Paul: Research Department, Minnesota House of Representatives, 2018. (KF390.5.C6 M85 2018)

Mullen, Mary. The Internet and Public Policy: Privacy and Consumer Protection. St. Paul: Research Department, Minnesota House of Representatives, 2018. (KF390.5.C6 M854 2018)

Pirius, Rebecca. Identity Theft and Related Crimes An Overview of Minnesota Criminal Law. St. Paul: Research Department, Minnesota House of Representatives, 2007. (KFM5968.A1 P57 2006)

Planning for Implementation of the REAL ID Act: Report to the Legislature. St. Paul: Minnesota Department of Public Safety, April 14, 2016. (KFM5697.6 P53 2016)

A Report on Genetic Information and How it is Currently Treated Under Minnesota Law. St. Paul: Minnesota Department of Administration, 2006. (KFM5862.5.P8 R47 2006)

Request to Classify Data Obtained by the use of Automatic License Plate Readers as "Not Public Data" — Findings of Fact and Conclusions. St. Paul: Minnesota Dept. of Administration, 2013. (KFM5862.5.P8 A52 2013)

Richards, Neil. Why Privacy Matters. New York, NY: Oxford University Press, 2022. (K3263 .R534 2022)

Significant Articles

(articles in reverse chronological order)

Taetzsch, Emily S. "Privacy Purgatory: Why the United States Needs a Comprehensive Federal Data Privacy Law." Journal of Legislation, January 2024, p. 121-148. 

Olson, Jeremy. "Minnesota Pioneers Universal Screening for Common Source of Birth Defects." Star Tribune, February 8, 2023. 

Gringauz, Lev. "Minnesota Has Done Well Protecting State Agencies From Cybersecurity Threats. A New Legislative Commission Wants to Keep it That Way." MinnPost, December 17, 2021. 

Cook, Mike. "Preliminary ‘Minnesota Consumer Data Privacy Act’ Proffered, Heard by Committee." Session Daily, September 27, 2021. 

Chanen, David. "Minnesota Law Enforcement Agencies Using Drones are Confronting New Transparency Law." Star Tribune, May 22, 2021. 

Hoidal, Sten-Erik. "Businesses Face New Obligations Under Web of Privacy Laws." Star Tribune, May 4, 2021. 

Cook, Mike. "Powerball, Other Lottery Winners Could Keep Names Private Via Bill Going to Governor." Session Daily, April 29, 2021.

Walker, Tim. "House Passes Protections for Private Data Dollected by Insurance Companies." Session Daily, April 12, 2021.

Libor, Jany. "Minneapolis Passes Restrictive Ban on Facial Recognition Use by Police, Others." Star Tribune, February 13, 2021.

Ferguson, Andrew Guthrie. "Facial Recognition and the Fourth Amendment." Minnesota Law Review, February, 2021.

Samar, Vincent. "Cyber-Security, Privacy, and the COVID-19 Attenuation?" Journal of Legislation [Notre Dame], Vol. 27, Issue 1, 2021. 

Tempus, Alexandra. "Privacy Fears Rising as DNA Test Companies Shift to New Ventures." MinnPost, September 29, 2020.

Finin, Tim, et. al. "Cyberattacks at the Grass Roots: American Local Governments and the Need for High Levels of Cybersecurity." Public Administration Review, November/December 2019, p. 895-904.

Greenberg, Pam. "Hands off the Data: California's New Data Protection Law Gives Consumers Greater Control Over Their Information." State Legislatures, November/December 2019, p. 20-21.

Logan, Wayne A. and Lindord, Jake. "Contracting for Fourth Amendment Privacy Online." Minnesota Law Review, November 2019, p. 101-170. 

Frederick, Susan. "State and Federal Efforts to Enhance Cybersecurity." NCSL Legisbrief, November 2019, Vol. 27, No. 40, p. 1-2.

Mantel, Barbara. "Consumer Genetic Testing: Do the Popular DNA Tests Offer Useful Information About Health Risks and Heritage?. CQ Researcher, June 14, 2019, p. 1-36.

McGeveran, William. "The Duty of Data Security." Minnesota Law Review, February 2019, p. 1135-1208.

Greenberg, Pam. "A Higher Profile for Data Privacy." NCSL Legisbrief, February 2019, Vol. 27, No. 7, p.1-2.

Wolfe, Julia. "Coerced into Health: Workplace Wellness Programs and Their Threat to Genetic Privacy." Minnesota Law Review, December 2018, p. 1089-1133.

Significant Internet Resources

Commerce and Economic Development: The Internet - Minnesota House Research subtopic area with a focus on privacy.

Data Privacy - Minnesota House Research Department topic area.

Federal Trade Commission (FTC), Bureau of Consumer Protection - Legal and compliance resources related to Privacy and Security. 

Data Practices Office - This division of the Minnesota Department of Administration provides technical assistance and consultation to individuals, government entities, businesses, and associations on Minnesota's data practices act (Minnesota Statutes, chapter 13), the Open Meeting Law (Minnesota Statutes, chapter 13D), and other information policy laws.

Legislative Commission on Cybersecurity - 2021 legislation created the Commission to review the policies and practices of state agencies with regard to cybersecurity and recommend changes in policy to adequately protect the state from cybersecurity threats.

Legislative Commission on Data Practices - 2014 legislation created the Commission to study issues relating to government data practices and individuals’ personal data privacy rights. Here is the Library's informational record on the Legislative Commission on Data Practices.

Minnesota Attorney General's Office - The office "fights for stronger privacy protection on three main fronts- law enforcement, legislative advocacy, and public education." See their topic area for Identity Theft & Computers.

Privacy/Identity Theft/Cybersecurity -- Legal research guide from the Minnesota Law Library.

National Security Agency (NSA)/Central Security Service (CSS) - Information and background on these two federal privacy-related agencies.

Privacy Rights Clearinghouse - A nonprofit consumer information and advocacy group that offers consumers in-depth information on a variety of privacy issues.

REAL ID - See also REAL ID Materials and REAL ID Frequently Asked Questions from the Minnesota Department of Public Safety, Driver and Vehicle Services Division.

Task Force on Artificial Intelligence, Cybersecurity and Privacy - National Conference of State Legislatures' (NCSL) public policy/discussion working groups. 

US Online Privacy Laws 2023: A Simple Guide to Complicated State & Federal Laws (published December 2022) - By Samuel Chapman with PrivacyJournal.net. 

U.S. Department Health and Human Services - Office for Civil Rights - HIPAA - Health Insurance Portability and Accountability Act and medical privacy.

Additional Library Resources

For historical information, check the following codes in the Newspaper Clipping File and the Vertical File: P150 (Privacy), R40 (Records & Record Management), M7 (Mailing Lists)

For additional reports at the Legislative Reference Library, use these Library catalog searches:
Data Protection; Identity Theft; Electronic Privacy.

Federal Legislation Highlights

1966 - The Freedom of Information Act (5 U.S.C. § 552) - Gives any person the right to request access to federal agency records or information. The Act defines agency records subject to disclosure, outlines mandatory disclosure procedures and grants nine exemptions to the statute.

1970 - Fair Credit Reporting Act (15 U.S.C. §§ 1681 et seq.) - Governs certain kinds of financial and other personal information included within the definition of a "consumer report."

1974 - The Privacy Act (5 U.S.C. § 552a) - Establishes certain controls over what personal information is collected by the federal government and how it is used. The act guarantees three primary rights: (1) the right to see records about oneself, subject to the Privacy Act's exemptions; (2) the right to amend that record if it is inaccurate, irrelevant, untimely, or incomplete; and (3) the right to sue the government for violations of the statute, including permitting others to see your records, unless specifically permitted by the act.

1976 - Government in the Sunshine Act (5 U.S.C. § 552b) - Presumptively opens the policymaking deliberations of collegially headed Federal agencies - such as boards, commission, or councils - to public scrutiny. Pursuant to the statute, agencies are required to publish advance notice of impending meetings and make those meetings publicly accessible.

1978 - Foreign Intelligence Surveillance Act (50 U.S.C. Chapter 36) - Designed to regulate foreign intelligence gathering. FISA was initially limited to electronic eavesdropping and wiretapping. In 1994 it was amended to permit covert physical entries in connection with "security" investigations, and in1998, it was amended to permit pen/trap orders. FISA can also be used to obtain some business records.

1986 - Electronic Communications Privacy Act (18 U.S.C. § 2511, aka Wiretap Act) - Extends the coverage of Title III to new forms of voice, data and video communications including cellular phones, electronic mail, computer transmissions, and voice and display pagers.

Enacted as Title II of the ECPA, the Stored Communications Act (18 U.S.C. Chapter 121 §§ 2701–2712) - Addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs).

1994 - Driver's Privacy Protection Act (18 U.S.C. § 2721) - Creates a baseline standard of privacy protection for state DMV records.

1996 - Health Insurance Portability and Accountability Act (Public Law 104-191) - Creates new restrictions on electronic health care data.

1998 - Identity Theft and Assumption Deterrence Act (18 U.S.C. Chapter 47) - Prohibits knowingly transferring or using, without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law.

1998 - Children's Online Privacy Protection Act (15 U.S.C. § 6501) - Commercial websites designed for children must now obtain "verifiable parental consent" before collecting, using, or disclosing personal information from all children under 13.

1999 - Gramm, Leach, Bliley Financial Services Modernization Act (15 U.S.C. Chapter 94) - Requires all financial services firms to provide annual notices about their data-use policies to all their customers, and also to provide mechanisms for customers to "opt out" — to decide that they no longer want information about them to be used in certain ways.

2001 - USA Patriot Act (Public Law No: 107-56) - After the 911 terrorist attacks, the act updated surveillance laws to reflect the digital world and expands surveillance powers of law enforcement and intelligence gathering agencies. Many provisions in the act were set to expire in 2005. The USA Patriot Act was reauthorized by the USA PATRIOT and Terrorism Prevention Reauthorization Act of 2005 (Public Law No: 109-177) and USA PATRIOT Act Additional Reauthorizing Amendments Act of 2006 (Public Law No: 109-178).

2008 - FISA Amendments Act of 2008 (H.R.6304, Public Law No: 110-261) - Expands FISA to allow warrantless surveillance, establishing a procedure for authorizing certain acquisitions of foreign intelligence.

2015 - USA Freedom Act (H.R. 2048, Public Law No. 114–23) - Extends parts of the Patriot Act and ends bulk collection of phone data.