Plain English Breakdown
The plain English breakdown is still being put together. The official documents below are already here.
SF4574 • 2026
Minnesota Age-Appropriate Design Code Act establishment
Minnesota Age-Appropriate Design Code Act establishment
Passed Legislature
This bill passed both chambers and reached final enrollment, even if later executive action is not shown here.
Bill History
-
2026-03-18
House
Introduction and first reading
Official Summary Text
Minnesota Age-Appropriate Design Code Act establishment
Current Bill Text
Read the full stored bill text
A bill for an act relating to consumer data privacy; creating the Minnesota Age-Appropriate Design Code Act; placing obligations on certain businesses regarding children's consumer information; providing for enforcement by the attorney general; amending Minnesota Statutes 2024, section 13.6505, by adding a subdivision; proposing coding for new law in Minnesota Statutes, chapter 325M. BE IT ENACTED BY THE LEGISLATURE OF THE STATE OF MINNESOTA: Section 1. Minnesota Statutes 2024, section 13.6505, is amended by adding a subdivision to read: new text begin Subd. 3. new text end new text begin Data protection impact assessments. new text end new text begin A data protection impact assessment collected or maintained by the attorney general under section 325M.44 is classified under section 325M.44, subdivision 3. new text end Sec. 2. new text begin [325M.40] CITATION; CONSTRUCTION. new text end new text begin Subdivision 1. new text end new text begin Citation. new text end new text begin This chapter may be cited as the "Minnesota Age-Appropriate Design Code Act." new text end new text begin Subd. 2. new text end new text begin Construction. new text end new text begin (a) A business that develops and provides online products that children are reasonably likely to access must consider the best interests of children when designing, developing, and providing that online product. new text end new text begin (b) If a conflict arises between commercial interests of a business and the best interests of children likely to access an online product, service, or feature, the business must prioritize the privacy, safety, and well-being of children over its commercial interests. new text end new text begin (c) In order to help support the design of online products, a business must consider the unique needs and diversities of different age ranges, including the following developmental stages: new text end new text begin (1) zero to five years of age or "preliterate and early literacy"; new text end new text begin (2) six to nine years of age or "core primary school years"; new text end new text begin (3) ten to 12 years of age or "transition years"; new text end new text begin (4) 13 to 15 years of age or "early teens"; and new text end new text begin (5) 16 to 17 years of age or "approaching adulthood." new text end Sec. 3. new text begin [325M.41] DEFINITIONS. new text end new text begin (a) For purposes of this chapter, the following terms have the meanings given. new text end new text begin (b) "Affiliate" has the meaning given in section 325M.11. new text end new text begin (c) "Aggregate consumer information" means information: new text end new text begin (1) that relates to a group or category of consumers; new text end new text begin (2) from which individual consumer identities have been removed; new text end new text begin (3) that is not linked or reasonably linkable to any consumer or household, including by a device; and new text end new text begin (4) that does not include deidentified data. new text end new text begin (d) "Best interests of children" means a business's use of the personal data of a child or the design of an online product in a way that does not: new text end new text begin (1) benefit the business to the detriment of children; and new text end new text begin (2) result in: new text end new text begin (i) reasonably foreseeable and material physical or financial harm to children; new text end new text begin (ii) reasonably foreseeable and severe psychological or emotional harm to children; new text end new text begin (iii) a highly offensive intrusion on children's reasonable expectation of privacy; or new text end new text begin (iv) discrimination against children based on race, color, religion, national origin, disability, sex, or sexual orientation. new text end new text begin (e) "Business" means: new text end new text begin (1) a sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners; and new text end new text begin (2) an affiliate of a business that shares common branding with the business. For purposes of this clause, "common branding" means a shared name, service mark, or trademark that the average consumer would understand that two or more entities commonly own. new text end new text begin For purposes of this chapter, for a joint venture or partnership composed of businesses in which each business has at least a 40 percent interest, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal data in the possession of each business and disclosed to the joint venture or partnership must not be shared with the other business. new text end new text begin (f) "Child" means a consumer who is under 18 years of age. new text end new text begin (g) "Collect" means buying, renting, gathering, obtaining, receiving, or accessing any personal data pertaining to a consumer by any means. This includes receiving data from the consumer, either actively or passively or by observing the consumer's behavior. new text end new text begin (h) "Consumer" has the meaning given in section 325M.11. new text end new text begin (i) "Dark pattern" has the meaning given in section 325M.11. new text end new text begin (j) "Data protection impact assessment" means a systematic survey to assess compliance with the duty to act in the best interests of children. new text end new text begin (k) "Default" means a preselected option adopted by the business for the online product. new text end new text begin (l) "Deidentified data" has the meaning given in section 325M.11. new text end new text begin (m) "Online product" means an online service, product, or feature. Online product does not include the following: new text end new text begin (1) telecommunications services as defined in United States Code, title 47, section 153; new text end new text begin (2) a broadband service as defined by section 116J.39, subdivision 1; or new text end new text begin (3) the sale, delivery, or use of a physical product sold by an online retailer. new text end new text begin (n) "Personal data" has the meaning given in section 325M.11. new text end new text begin (o) "Process" or "processing" has the meaning given in section 325M.11. new text end new text begin (p) "Product experimentation results" means the data that a business collects to understand the experimental impact of its products. new text end new text begin (q) "Profiling" has the meaning given in section 325M.11. new text end new text begin (r) "Reasonably likely to be accessed by children" means that it is reasonable to expect that the online product would be accessed by children, based on satisfying any of the following criteria: new text end new text begin (1) the online product is directed to children as defined by the Children's Online Privacy Protection Act, United States Code, title 15, section 6501 et seq., and the Federal Trade Commission rules implementing that act; new text end new text begin (2) the online product is determined, based on competent and reliable evidence regarding audience composition, to be routinely accessed by a significant number of children; new text end new text begin (3) the online product contains advertisements marketed to children; new text end new text begin (4) the online product is substantially similar to or the same as an online product subject to clause (2); new text end new text begin (5) a significant amount of the audience of the online product is determined, based on internal company research, to be children; or new text end new text begin (6) the business knew or should have known that a significant number of users are children. new text end new text begin (s) "Sale," "sell," or "sold" has the meaning given in section 325M.11. new text end new text begin (t) "Share" means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means a consumer's personal data by the business to a third party for cross-context behavioral advertising, whether for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged. new text end new text begin (u) "Specific geolocation data" has the meaning given in section 325M.11. new text end new text begin (v) "Third party" has the meaning given in section 325M.11. new text end Sec. 4. new text begin [325M.43] SCOPE; EXCLUSIONS. new text end new text begin (a) A business is subject to this chapter if it: new text end new text begin (1) collects consumers' personal data or has consumers' personal data collected on its behalf by a third party; new text end new text begin (2) determines alone or jointly with others the purposes and means of the processing of consumers' personal data; new text end new text begin (3) does business in Minnesota; and new text end new text begin (4) satisfies one or more of the following thresholds: new text end new text begin (i) has annual gross revenues in excess of $25,000,000, as adjusted every odd-numbered year to reflect the Consumer Price Index; new text end new text begin (ii) annually buys, receives for the business's commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal data of 50,000 or more consumers, households, or devices; or new text end new text begin (iii) derives 50 percent or more of its annual revenues from selling consumers' personal data. new text end new text begin (b) This chapter does not apply to: new text end new text begin (1) protected health information that is collected by a covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and the Health Information Technology for Economic and Clinical Health Act, Public Law 111-5; new text end new text begin (2) a covered entity governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, Code of Federal Regulations, title 45, parts 160 and 164, established pursuant to the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, to the extent the provider or covered entity maintains patient information in the same manner as medical information or protected health information as described in clause (1); new text end new text begin (3) information collected as part of a clinical trial subject to the federal policy for the protection of human subjects, also known as the common rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration; or new text end new text begin (4) data subject to Title V of the Gramm-Leach-Bliley Act of 1999, Public Law 106-102. new text end Sec. 5. new text begin [325M.44] BUSINESS OBLIGATIONS. new text end new text begin Subdivision 1. new text end new text begin Requirements for businesses. new text end new text begin (a) A business subject to this chapter must: new text end new text begin (1) complete a data protection impact assessment for any new online product that is reasonably likely to be to accessed by children and maintain documentation of the data protection impact assessment as long as the online product is reasonably likely to be accessed by children; new text end new text begin (2) review and modify all data protection impact assessments as necessary to account for material changes to processing pertaining to the online product; new text end new text begin (3) within five business days of a written request by the attorney general, provide to the attorney general a list of all data protection impact assessments the business has completed; new text end new text begin (4) within seven business days of a written request by the attorney general or by a date otherwise specified by the attorney general, provide the attorney general with a copy of any data protection impact assessment; new text end new text begin (5) configure all default privacy settings provided to children by the online product to settings that offer a high level of privacy, unless the business can demonstrate a compelling reason that a different setting is in the best interests of children; new text end new text begin (6) provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children reasonably likely to access that online product; and new text end new text begin (7) provide prominent, accessible, and responsive tools to help children or if applicable, their parents or guardians, exercise their privacy rights and report concerns. new text end new text begin (b) A business that provides an online product reasonably likely to be accessed by children must prepare a data protection impact assessment for an online product that is offered to the public on or before August 1, 2027, and will continue to be offered to the public after that date, or that is initially offered to the public after August 1, 2027. new text end new text begin (c) A data protection impact assessment must: new text end new text begin (1) identify the purpose of the online product; new text end new text begin (2) identify how the online product uses children's data; new text end new text begin (3) determine whether the online product is designed in a manner consistent with the best interests of children reasonably likely to access the online product through consideration of: new text end new text begin (i) whether algorithms used by the product, service, or feature would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (ii) whether the design or data processing practices of the online product could lead to children experiencing or being targeted by contacts on the online product that would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (iii) whether the design or data processing practices of the online product could permit children to witness, participate in, or be subject to conduct on the online product that would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (iv) whether the design or data processing practices of the online product are reasonably expected to allow children to be party to or exploited by a contract on the online product that would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (v) whether the online product uses system design features to increase, sustain, or extend use of the online product by children, including the automatic playing of media, rewards for time spent, and notifications that would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (vi) whether, how, and for what purpose the online product, service, or feature collects or processes personal data of children and whether those practices would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; new text end new text begin (vii) whether and how product experimentation results for the online product, service, or feature reveal data management or design practices that would result in reasonably foreseeable and material physical or financial harm to the child; reasonably foreseeable and extreme psychological or emotional harm to the child; a highly offensive intrusion on the reasonable privacy expectations of the child; or discrimination against the child based upon race, color, religion, national origin, disability, sex, or sexual orientation; and new text end new text begin (viii) any other factor that may indicate that the online product is designed in a manner that is inconsistent with the best interests of children; and new text end new text begin (4) include a description of steps that the business has taken and will take to act in a manner consistent with the best interests of children. new text end new text begin (d) A data protection impact assessment conducted by a business for the purpose of compliance with any other law complies with this section if the data protection impact assessment meets the requirement of this chapter. new text end new text begin (e) A single data protection impact assessment may contain multiple similar processing operations that present similar risk only if each relevant online product is addressed. new text end new text begin Subd. 2. new text end new text begin Prohibition on businesses. new text end new text begin (a) A business that provides an online product reasonably likely to be accessed by children must not: new text end new text begin (1) process the personal data of any child in a way that is inconsistent with the best interests of children reasonably likely to access the online product; new text end new text begin (2) profile a child by default unless both of the following criteria are met: new text end new text begin (i) the business can demonstrate it has appropriate safeguards in place to ensure that profiling is consistent with the best interests of children reasonably likely to access the online product; and new text end new text begin (ii) either of the following is true: new text end new text begin (A) profiling is necessary to provide the online product requested and only with respect to the aspects of the online product with which a child is actively and knowingly engaged; or new text end new text begin (B) the business can demonstrate a compelling reason that profiling is in the best interests of children; new text end new text begin (3) process any personal data that is not reasonably necessary to provide an online product with which a child is actively and knowingly engaged; new text end new text begin (4) if the end user is a child, process personal data for any reason other than a reason for which that personal data was collected; new text end new text begin (5) process any specific geolocation data of children by default, unless the collection of that specific geolocation data is strictly necessary for the business to provide the service, product, or feature requested and then only for the limited time that the collection of specific geolocation data is necessary to provide the service, product, or feature; new text end new text begin (6) process any specific geolocation data of a child without providing an obvious sign to the child for the duration of that collection that specific geolocation data is being collected; new text end new text begin (7) use dark patterns to cause children to provide personal data beyond what is reasonably expected to provide that online product to forego privacy protections, or to take any action that the business knows, or has reason to know, is not in the best interests of children reasonably likely to access the online product; or new text end new text begin (8) allow a person other than a child's parent or guardian to monitor the child's online activity without first notifying the child and the child's parent or guardian. new text end new text begin (b) A business that provides an online product that is accessed or reasonably likely to be accessed by children may allow a child's parent or guardian to monitor the child's online activity or track the child's location without providing an obvious signal to the child when the child is being monitored or tracked. new text end new text begin (c) In determining whether an online product is reasonably likely to be accessed by children, a business may not collect or process any personal data beyond what is reasonably necessary to make the determination. new text end new text begin Subd. 3. new text end new text begin Data practices. new text end new text begin (a) A data protection impact assessment collected or maintained by the attorney general under subdivision 1 is classified as nonpublic data or private data on individuals under section 13.02, subdivisions 9 and 12. new text end new text begin (b) To the extent any information contained in a data protection impact assessment disclosed to the attorney general includes information subject to attorney-client privilege or work product protection, disclosure pursuant to this section does not constitute a waiver of that privilege or protection. new text end Sec. 6. new text begin [325M.45] ATTORNEY GENERAL ENFORCEMENT. new text end new text begin (a) A business that violates this chapter may be subject to an injunction and liable for a civil penalty of not more than $2,500 per affected child for each negligent violation, or not more than $7,500 per affected child for each intentional violation, which may be assessed and recovered only in a civil action brought by the attorney general in accordance with section 8.31. If the state prevails in an action to enforce this chapter, the state may, in addition to penalties provided by this paragraph or other remedies provided by law, be allowed an amount determined by the court to be the reasonable value of all or part of the state's litigation expenses incurred. new text end new text begin (b) Any penalties, fees, and expenses recovered in an action brought under this chapter must be deposited in an account in the special revenue fund and are appropriated to the attorney general to offset costs incurred by the attorney general in connection with enforcement of this chapter. new text end new text begin (c) If a business is in substantial compliance with this act and has fulfilled the requirements of section 325M.44, subdivision 1, paragraph (a), clause (1), the attorney general must, before initiating a civil action under this section, provide written notice to the business identifying the specific provisions of this chapter that the attorney general alleges have been or are being violated. If, within 90 days of receiving notice, the business cures any noticed violation and provides the attorney general a written statement that the alleged violations have been cured, and sufficient measures have been taken to prevent future violations, the business is not liable for a civil penalty for any violation cured pursuant to this section. new text end Sec. 7. new text begin [325M.46] LIMITATIONS. new text end new text begin Nothing in this chapter shall be interpreted or construed to: new text end new text begin (1) impose liability in a manner that is inconsistent with United States Code, title 47, section 230; new text end new text begin (2) provide a private right of action under this chapter, section 8.31, or any other law; new text end new text begin (3) prevent or preclude any child from deliberately or independently searching for or specifically requesting content; new text end new text begin (4) require a business to implement age-gating or other technical protection methods to prevent underage people from viewing a website or other content; new text end new text begin (5) infringe on the existing rights and freedoms of children; new text end new text begin (6) require a business to monitor or censor third-party content; or new text end new text begin (7) discriminate against children on the basis of race, color, religion, national origin, disability, gender identity, sex, or sexual orientation. new text end