Purpose

• Creates the Minnesota AgeAppropriate Design Code Act.
• Sets obligations for certain businesses to protect children’s consumer information.
• Requires enforcement by the Minnesota Attorney General and adds new requirements to the state’s consumer data privacy laws (amending section 13.6505 and adding chapter 325M).

Who and what is covered

• Applies to a business that develops and provides online products that children are reasonably likely to access.
• The business must prioritize children’s privacy, safety, and well-being over commercial interests when conflicts arise.
• The law focuses on five age groups: zero to five, six to nine, ten to twelve, thirteen to fifteen, and sixteen to seventeen.
• Excludes certain health, financial, and other regulated data (e.g., HIPAA-related information, clinical trials, GLBA-related data).

Key obligations for businesses

• Complete a Data Protection Impact Assessment (DPIA) for any new online product likely to be accessed by children and keep records of the DPIA as long as the product is likely to be accessed by children.
• Review and update DPIAs for material changes to how the product processes data.
• On request by the Attorney General, provide lists of all DPIAs and copies of DPIAs within certain deadlines.
• Configure default privacy settings to high privacy for children unless there is a compelling reason to do otherwise.
• Provide privacy notices, terms of service, and community standards in clear language appropriate to children.
• Offer accessible tools for children and their parents to exercise privacy rights and report concerns.

Data protection impact assessment (DPIA) specifics

• DPIAs must identify: the product’s purpose, how it uses children’s data, and whether the product design or data practices align with children’s best interests.
• DPIAs analyze risks of harm (physical, financial, psychological), privacy intrusions, discrimination, exposure to inappropriate content, and other safety concerns.
• They assess whether design or data practices could expose children to risk through contracts, targeting, or exploitation, and whether features could increase use or data collection in ways not in children’s best interests.
• A single DPIA can cover multiple similar processing operations if each online product is addressed.

Prohibitions and limits

• Do not process a child’s personal data in a way that is inconsistent with the child’s best interests.
• Do not default to profiling a child; profiling may occur only if safeguards exist and one of two criteria is met: it’s necessary to provide the product as engaged by the child, or there is a compelling reason that profiling serves the child’s best interests.
• Do not process data beyond what is reasonably necessary to provide the product the child is actively using.
• Do not collect or process specific geolocation data by default unless strictly necessary, and only for the limited time needed to provide the service; must clearly signal when geolocation data is being collected.
• Prohibit dark patterns that coerce children into providing more data or abandoning privacy protections.
• Do not allow monitoring of a child’s online activity by someone other than a parent/guardian without clear notification to the child and the parent/guardian.

Data practices and confidentiality

• DPIA materials collected by the Attorney General are classified as nonpublic/private data.
• Information in a DPIA disclosed to the AG is protected by attorney-client privilege or work product protections.

Enforcement and penalties

• Violations may lead to injunctions and civil penalties.
• Penalties: up to $2,500 per affected child for negligent violations; up to $7,500 per affected child for intentional violations, in civil actions brought by the Attorney General.
• The state may also be awarded reasonable public-cost recovery (litigation expenses) in enforcement actions.
• If a business is in substantial compliance, the AG must provide notice and a 90-day cure period before pursuing penalties.

Effective date, scope, and exemptions

• The act applies to businesses meeting the revenue/consumer/device thresholds.
• Publicly offered online products must have a DPIA completed by August 1, 2027, and products offered after that date must have DPIAs in place.
• There is no private right of action created by this act.
• The act does not require age-gating or censorship of third-party content, nor does it override existing rights or freedoms for children.

Notable changes to existing law

• Establishes a new chapter (325M) focused on age-appropriate design, privacy protections for children, and DPIA requirements.
• Expands state enforcement authority to handle child-focused data protection issues via the Attorney General.
• Adds specific limitations on data processing, profiling, geolocation, and parental monitoring, with protections designed to align with children’s best interests.

Key definitions (selected)

• Online product: an online service, product, or feature (with certain exclusions).
• Best interests of children: a standard focusing on avoiding harm and prioritizing children’s privacy, safety, and well-being.
• Dark pattern: manipulative design to push users into unwanted data sharing or actions.
• Data protection impact assessment (DPIA): a systematic review of how a product processes children’s data to ensure alignment with the best interests of children.
• Profiling: automated processing that evaluates or predicts aspects about a child.
• Specific geolocation data: precise location information.
• Aggregate consumer information: data about groups that cannot identify an individual.

Relevant changes to consider - New legal framework for protecting children’s online privacy in Minnesota. - Stronger on-product privacy defaults and explicit safeguards against risky data practices. - No private lawsuits for individuals; enforcement is mainly through the Attorney General with civil penalties.

Relevant Terms - Minnesota AgeAppropriate Design Code Act - Data protection impact assessment (DPIA) - Best interests of children - Online product - Dark pattern - Profiling - Specific geolocation data - Aggregate consumer information - Deidentified data - Cross-context behavioral advertising - Affiliate - Common branding - Attorney General enforcement - Civil penalties (per child) - Injunction - Private right of action (not permitted) - HIPAA / Health data exclusions - Age groups (0-5, 6-9, 10-12, 13-15, 16-17) - Thresholds (revenue, number of consumers/households/devices)