A view from DC: From murder to movement in Minnesota and beyond

Less than two months ago, Minnesota state legislator Melissa Hortman was assassinated in her home. The shocking killing of representative Hortman and her husband, alongside the alleged murderer's attempts and apparent plans to target other lawmakers, have forced Americans to reckon with what the rise of political violence means for our democracy.

The killings have also sparked renewed attention to the widespread availability of personal information and inferences on the internet after court filings described a notebook found in the alleged shooter's car that included a handwritten list of 11 people-search websites. These "registered data brokers," as news reports called them, have often been the subject of regulatory scrutiny.

Such sites are the dubious public face of a ubiquitous but highly varied industry that generates hundreds of billions of dollars of revenue each year.

U.S. Sen. Amy Klobuchar, D-Minn., brought up the tragedy in her opening remarks this week for a hearing of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law, where she serves as ranking member. "And we all learned too tragically with the horrific murders in my state of my good friend Melissa Hortman, the former Speaker of the House, and her husband Mark how accessible personal data is, including people's addresses, because the murderer only killed the people and went to the houses of the people whose addresses he had."

Klobuchar asked her fellow senators a rhetorical question about whether the value generated by the data industry is worth such high costs. "Should a person … really have to submit to this kind of intrusive data collection just to send a message to a friend online, to book a flight, or to order some diapers? I don't think so."

Tying this conclusion directly to the spread of comprehensive state privacy laws, Klobuchar went on to question the hypocrisy of companies lobbying against bills like the American Data Privacy and Protection Act while also complaining about the compliance costs of the evolving patchwork of states with baseline consumer protections for personal data.

Yesterday, the senator's home state became fully stitched into the patchwork as the Minnesota Consumer Data Privacy Act went into effect.

In a press release, Minnesota Attorney General Keith Ellison confirmed that enforcement will be a priority for his office. The release highlights the fact that the law, as passed, "included funding for the office to hire four new attorneys as well as an investigator who will primarily focus on the enforcement of this legislation."

Once the team is at full strength, this level of funding will put Minnesota in the heavyweight division of U.S. privacy enforcers, joining California and Texas.

The office of the attorney general appears to have already put in a lot of effort to bring the law online in a consumer-friendly way, launching a web portal that includes colorful guides, fillable PDFs that consumers are instructed to submit to companies to exercise their rights, and even a mnemonic for data rights: "Under the Act, you have rights to keep your data private and LOCKED+." The letters in this novel acronym stand for "list" — a reference to the relatively rare requirement to provide a list of all third parties on request — "opt-out," "copy," "know," "edit" and "delete." The plus sign is a reference to the right to "question profiling and automated decisions that affect you."

As part of the most recently passed tranche of comprehensive privacy laws, Minnesota's law includes a few unique elements, including expanded and clarified rights regarding automated decision-making systems.

Minnesota state representative Steve Elkins highlighted these elements in his own statements that were included in the attorney general’s press release. As the primary author of the new law, Elkins is proud of being "ahead of the game" on privacy and AI governance.

Elkins went on to make an explicit connection between the killings in Minnesota and the importance of consumer privacy rights.

"One of the rights granted by the Act is the right to request the deletion of your data. I will be requesting the deletion of my personal data from the databases of a long list of 'data brokers' who provide address look-up services to the public. Accused murderer Vance Boelter used several of these data broker web sites to look up the home addresses of the legislators who he targeted. This will provide a timely 'test case' that we can use to measure compliance with this aspect of the Act and I’m happy to be the 'guinea pig.' Minnesota is one of 19 states that now grants its citizens this right and these brokers should now be in position to routinely and promptly act on these requests."

Of course, despite voluntarily complying with takedown requests, people-search websites have long asserted that most of the information they post qualifies for the "publicly available information" exception under U.S. privacy laws. Minnesota's law, too, does not apply to information that "(1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public."

Despite the calls from legislators for new protections, publicly available exceptions are not likely to change. Most agree that restrictions on public information would be seen as burdening the First Amendment.

Still, enhanced enforcement could make some headway on curtailing those data practices that step outside the bounds of industry best practices. As one example, the California Privacy Protection Agency brought an enforcement action earlier this year under the state’s new DELETE Act against a people search company known as Background Alert.

In the settlement, the CPPA determined that not all the information Background Alert was publishing qualified as publicly available information. According to the agency, inferences such as lists of likely associated persons are also considered personal information under the CCPA.

As the stipulated final order puts it, "Inferences present special risks to privacy. Seemingly innocuous data points, when combined with other data points, can be exploited to infer highly personal characteristics about people. Consumers can be identified, re-identified, and profiled as a result."

Inferences may also help to unmask consumers — and even the families of politicians — to enable individual targeting.

Please send feedback, updates and Minnesotan niceties to cobun@iapp.org.

Cobun Zweifel-Keegan, CIPP/US, CIPM, is the managing director, Washington, D.C., for the IAPP.