SF5120

Purpose

This bill would require social media platforms and remote computing services to report certain criminal activity to the Minnesota Attorney General. It sets when to report, what information to include, how data is handled, and penalties for not reporting. It also outlines how the Attorney General must process, preserve, and publish information about these reports, while protecting user privacy.

Key Definitions

• Actual knowledge: A provider knows or has custody of information that a reasonable person would consider sufficient to know a crime is happening or has happened; includes information from law enforcement or credible reports within 48 hours.
• Reasonable belief: A provider may submit a report even if they do not have actual knowledge, but reasonably believe a crime is occurring.
• Geographic identifying information: Information such as area code or ZIP code, and whether a VPN was used.
• Provider: The entity that provides access to a social media platform or a remote computing service.
• Remote computing service: A service that provides public computer storage or processing via electronic networks.
• Social media platform and User: As defined in related Minnesota law.
• Content of the report: Specific details the provider must share about the account and the alleged crime.

What providers must do (Duty to Report)

• When to report:
  • If there is actual knowledge that a crime involving fentanyl, methamphetamine, or a counterfeit substance (including counterfeit prescription drugs or pills) is or has been committed, the provider must report to the Attorney General within 60 days of obtaining that knowledge.
  • A provider may also report if they have a reasonable belief that such crimes are being or have been committed.
• What to include (Content of the report):
  • Provider contact details (mailing address, phone, fax, email).
  • Account information (name, address, email, user ID, IP address, screen names, and other identifying info).
  • Details about how content related to the crime was uploaded or found, geographic location, data such as photos, messages, or videos, and the full communication containing the information.
  • Any information provided by a user alleging facts related to the crime.
• Privacy protections:
  • Providers are not allowed to monitor user communications beyond what’s needed to verify or investigate information received from law enforcement or a third party, and they must address privacy limits.
  • Providers are not required to break end-to-end encryption or decrypt encrypted communications.
• Prohibition and exemptions:
  • Law enforcement cannot arrange for someone else to submit a report on their behalf.
  • The report contents and any evidence cannot be used in court if the report was filed in violation of this rule.
  • Exemptions apply to certain services, like some broadband internet access and standard text messaging services.
• Immunity:
  • A provider that submits a report in good faith is protected from civil and criminal liability for submitting the report, unless the provider knowingly gives false information.

How the Attorney General handles reports

• Review and steps:
  • Upon receiving a report, the Attorney General will do a preliminary review to decide if it warrants further investigation and may share it with other law enforcement agencies.
  • The AG can designate which law enforcement agencies will handle the investigation.
• Data minimization and retention:
  • The AG must limit how long the report and its contents are stored to what is reasonably necessary to investigate the crimes.
  • The AG must delete the report after it’s no longer needed for investigation, unless there is future evidentiary value.
• Annual reporting:
  • The Attorney General will publish an annual report about these reports, including totals, whether cases led to convictions, and how the information was discovered (e.g., human moderation, algorithms) and what data was shared with federal or local law enforcement.
  • The report will also show how often the AG asked providers to continue preserving the contents.

Data preservation and user notification

• Preservation period:
  • A completed report is treated as a request to preserve the contents for 90 days after submission.
  • The AG may seek extensions only if there is an active or pending investigation involving the related user/account.
  • Other agencies may seek continued preservation beyond the 90 days.
• User notification:
  • Providers cannot notify the user about a preservation request until the AG is informed and at least 45 business days have passed since the notice.
• Protecting preserved materials:
  • Materials must be kept secure and access should be limited to necessary personnel.

Penalties and enforcement

• Failure to submit a required report:
  • Civil penalties can be up to $200,000 for the first violation and up to $400,000 for each subsequent violation.
• Incomplete or false reports:
  • Civil penalties range from $50,000 to $100,000 if the report knowingly contains false information or fails to provide required information.
  • Before enforcement, the AG must notify the provider in writing and give a reasonable cure period.
• Who enforces:
  • The Attorney General enforces these provisions and related sections.

Significant changes to existing law

• Creates a mandatory reporting duty for social media platforms and remote computing services when they have actual knowledge or a reasonable belief of certain drug-related crimes.
• Establishes detailed reporting content requirements, including account and technical identifiers.
• Introduces data privacy and protection rules around reporting, including limits on monitoring and encryption considerations.
• Establishes a formal data preservation process with a 90-day preservation period and specific conditions for extensions.
• Requires an annual AG report on these reports and related activities, including how information is found and shared.
• Imposes civil penalties on providers for noncompliance or false/incomplete reporting.
• Adds new responsibilities for the Attorney General in reviewing, minimizing data retention, and coordinating with other law enforcement.

Relevant Terms - Actual knowledge - Reasonable belief - Geographic identifying information - Area code - ZIP code - Virtual private network (VPN) - Provider - Social media platform - Remote computing service - Fentanyl - Methamphetamine - Counterfeit substance - Prescription drug - Prescription stimulant - Account information (name, IP address, screen names) - End-to-end encryption - Data preservation - Preservation period (90 days) - Data minimization - Criminal investigative data - Civil penalties - Annual report - Law enforcement coordination - Content moderation (human or nonhuman/algorithm) - Unauthorized disclosure or use in court