Learn About The Law
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Current as of January 01, 2025 | Updated by Findlaw Staff
Subdivision 1. Scope. (a) Sections 325M.10to325M.21apply to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:
(1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
(b) A controller or processor acting as a technology provider undersection 13.32shall comply withsections 13.32and325M.10to325M.21, except that when the provisions ofsection 13.32conflict withsections 325M.10to325M.21,section 13.32prevails.
Subd. 2. Exclusions. (a) Sections 325M.10to325M.21do not apply to the following entities, activities, or types of information:
(1) a government entity, as defined bysection 13.02, subdivision 7a;
(2) a federally recognized Indian tribe;
(3) information that meets the definition of:
(i) protected health information, as defined by and for purposes of the Health Insurance Portability and Accountability Act of 1996,Public Law 104-191, and related regulations;
(ii) health records, as defined insection 144.291, subdivision 2;
(iii) patient identifying information for purposes ofCode of Federal Regulations, title 42, part 2, established pursuant toUnited States Code, title 42, section 290dd-2;
(iv) identifiable private information for purposes of the federal policy for the protection of human subjects,Code of Federal Regulations, title 45, part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation; the protection of human subjects underCode of Federal Regulations, title 21, parts 50and56; or personal data used or shared in research conducted in accordance with one or more of the requirements set forth in this paragraph;
(v) information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986,Public Law 99-660, and related regulations; or
(vi) patient safety work product for purposes ofCode of Federal Regulations, title 42, part 3, established pursuant toUnited States Code, title 42, sections 299b-21to299b-26;
(4) information that is derived from any of the health care-related information listed in clause (3), but that has been deidentified in accordance with the requirements for deidentification set forth inCode of Federal Regulations, title 45, part 164;
(5) information originating from, and intermingled to be indistinguishable with, any of the health care-related information listed in clause (3) that is maintained by:
(i) a covered entity or business associate, as defined by the Health Insurance Portability and Accountability Act of 1996,Public Law 104-191, and related regulations;
(ii) a health care provider, as defined insection 144.291, subdivision 2; or
(iii) a program or a qualified service organization, as defined byCode of Federal Regulations, title 42, part 2, established pursuant toUnited States Code, title 42, section 290dd-2;
(6) information that is:
(i) maintained by an entity that meets the definition of health care provider underCode of Federal Regulations, title 45, section 160.103, to the extent that the entity maintains the information in the manner required of covered entities with respect to protected health information for purposes of the Health Insurance Portability and Accountability Act of 1996,Public Law 104-191, and related regulations;
(ii) included in a limited data set, as described underCode of Federal Regulations, title 45, part 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by that part;
(iii) maintained by, or maintained to comply with the rules or orders of, a self-regulatory organization as defined byUnited States Code, title 15, section 78c(a)(26);
(iv) originated from, or intermingled with, information described in clause (9) and that a licensed residential mortgage originator, as defined undersection 58.02, subdivision 19, or residential mortgage servicer, as defined undersection 58.02, subdivision 20, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9); or
(v) originated from, or intermingled with, information described in clause (9) and that a nonbank financial institution, as defined bysection 46A.01, subdivision 12, collects, processes, uses, or maintains in the same manner as required under the laws and regulations specified in clause (9);
(7) information used only for public health activities and purposes, as described underCode of Federal Regulations, title 45, part 164.512;
(8) an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined inUnited States Code, title 15, section 1681a(f), by a furnisher of information, as set forth inUnited States Code, title 15, section 1681s-2, who provides information for use in a consumer report, as defined inUnited States Code, title 15, section 1681a(d), and by a user of a consumer report, as set forth inUnited States Code, title 15, section 1681b, except that information is only excluded under this paragraph to the extent that the activity involving the collection, maintenance, disclosure, sale, communication, or use of the information by the agency, furnisher, or user is subject to regulation under the federal Fair Credit Reporting Act,United States Code, title 15, sections 1681to1681x, and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act;
(9) personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act,Public Law 106-102, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law;
(10) personal data collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy Protection Act of 1994,United States Code, title 18, sections 2721to2725, if the collection, processing, sale, or disclosure is in compliance with that law;
(11) personal data regulated by the federal Family Educational Rights and Privacy Act,United States Code, title 20, section 1232g, and implementing regulations;
(12) personal data collected, processed, sold, or disclosed pursuant to the federal Farm Credit Act of 1971, as amended,United States Code, title 12, sections 2001to2279cc, and implementing regulations,Code of Federal Regulations, title 12, part 600, if the collection, processing, sale, or disclosure is in compliance with that law;
(13) data collected or maintained:
(i) in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role;
(ii) as the emergency contact information of an individual under item (i) if used solely for emergency contact purposes; or
(iii) that is necessary for the business to retain to administer benefits for another individual relating to the individual under item (i) if used solely for the purposes of administering those benefits;
(14) personal data collected, processed, sold, or disclosed pursuant to the Minnesota Insurance Fair Information Reporting Act insections 72A.49to72A.505;
(15) data collected, processed, sold, or disclosed as part of a payment-only credit, check, or cash transaction where no data about consumers, as defined insection 325M.11, are retained;
(16) a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described inUnited States Code, title 12, section 1843(k);
(17) information that originates from, or is intermingled so as to be indistinguishable from, information described in clause (8) and that a person licensed under chapter 56 collects, processes, uses, or maintains in the same manner as is required under the laws and regulations specified in clause (8);
(18) an insurance company, as defined insection 60A.02, subdivision 4, an insurance producer, as defined insection 60K.31, subdivision 6, a third-party administrator of self-insurance, or an affiliate or subsidiary of any entity identified in this clause that is principally engaged in financial activities, as described inUnited States Code, title 12, section 1843(k), except that this clause does not apply to a person that, alone or in combination with another person, establishes and maintains a self-insurance program that does not otherwise engage in the business of entering into policies of insurance;
(19) a small business, as defined by the United States Small Business Administration underCode of Federal Regulations, title 13, part 121, except that a small business identified in this clause is subject tosection 325M.17;
(20) a nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance; and
(21) an air carrier subject to the federal Airline Deregulation Act,Public Law 95-504, only to the extent that an air carrier collects personal data related to prices, routes, or services and only to the extent that the provisions of the Airline Deregulation Act preempt the requirements ofsections 325M.10to325M.21.
(b) Controllers that are in compliance with the Children's Online Privacy Protection Act,United States Code, title 15, sections 6501to6506, and implementing regulations, shall be deemed compliant with any obligation to obtain parental consent undersections 325M.10to325M.21.
Cite this article: FindLaw.com - Minnesota Statutes Trade Regulations, Consumer Protection (Ch. 324-341) § 325M.12. Scope; exclusions - last updated January 01, 2025 | https://codes.findlaw.com/mn/trade-regulations-consumer-protection-ch-324-341/mn-st-sect-325m-12/
FindLaw Codes may not reflect the most recent version of the law in your jurisdiction. Please verify the status of the code you are researching with the state legislature before relying on it for your legal needs.
A free source of state and federal court opinions, state laws, and the United States Code. For more information about the legal concepts addressed by these cases and statutes, visit FindLaw’s Learn About the Law.
Get help with your legal needs
FindLaw’s Learn About the Law features thousands of informational articles to help you understand your options. And if you’re ready to hire an attorney, find one in your area who can help.
Search our directory by legal issue
Enter information in one or both fields (Required)