MINNESOTA DIGITAL TRUST & CONSUMER PROTECTION ACT

DRAFT BILL: The Minnesota Digital Trust & Consumer Protection Act
Status: Draft v1.4 (Clean - Adversarial Review Incorporated)
Date: December 2025

SECTION 325M.01: DEFINITIONS

Subd. 1. Commissioner. "Commissioner" means the Commissioner of Commerce.

Subd. 2. Authority. "Authority" means the Minnesota Digital Trust Authority established in section 325M.05.

Subd. 3. Attribute Credential. "Attribute Credential" means a tamper-evident digital record containing one or more claims regarding a Subject, which is:

(a) Cryptographically signed by an Authorized Issuer;

(b) Capable of verification by a Relying Party without contacting the Authorized Issuer; and

(c) Structured in compliance with the W3C Verifiable Credentials Data Model v2.0, or a substantively equivalent open technical standard adopted by the Commissioner.

Any technical standard adopted by rule under this chapter must be open, publicly available, royalty-free, and reasonably implementable without proprietary licenses.

Subd. 4. Subject. "Subject" means the distinct entity, individual, or object about whom the claims in an Attribute Credential are made. A Subject may be:

(a) A natural person;

(b) A legal entity recognized by any jurisdiction; or

(c) A Digital Representative.

Subd. 5. Digital Representative. "Digital Representative" means a computational process, software agent, or cryptographic address that:

(a) Is technically capable of controlling a Holder-Bound Key;

(b) Has a verifiable association with a Controller; and

(c) Is used to present an Attribute Credential to a Relying Party.

Subd. 6. Controller. "Controller" means the natural person or legal entity that deployed, maintains, or derives economic benefit from a Digital Representative, regardless of the degree of autonomy granted to that Representative.

(a) Economic Benefit. "Derives economic benefit" means receiving direct financial proceeds from the operation of a Digital Representative or exercising direct operational control over the Digital Representative in connection with its activities.

(b) Infrastructure Exception. A person providing only passive infrastructure services--including hosting, routing, content delivery, domain registration, or cloud compute--is not a Controller solely by virtue of providing such services, absent contractual authority to control the Digital Representative's operation or active participation in its deployment or maintenance.

(c) Presumption of Control. A person or entity possessing the cryptographic keys, administrative privileges, or governance tokens necessary to update, pause, upgrade, or revoke a Digital Representative is presumed to be a Controller unless proven otherwise by a preponderance of the evidence.

(d) Beneficial Ownership Pierce. If a Controller entity is a legal entity other than a natural person, the natural persons who hold a beneficial ownership interest of 25 percent or more in the Controller entity, or who exercise executive control over the Controller entity, are jointly and severally liable for the obligations of the Controller under this chapter. This paragraph applies regardless of the number of legal entities interposed between the natural person and the Digital Representative.

(e) Construction. A Controller may not disclaim liability for the actions of a Digital Representative on the grounds that the Representative acted unpredictably or developed emergent behavior.

Subd. 7. Authorized Issuer. "Authorized Issuer" means a person or entity licensed by the Commissioner to issue Attribute Credentials, who maintains the required Solvency Bond.

Subd. 8. Solvency Bond. "Solvency Bond" means a surety bond, insurance policy, or segregated capital reserve held by an Authorized Issuer for the exclusive purpose of indemnifying Relying Parties against losses resulting from:

(a) The issuance of a credential containing materially false Factual Claims.

(1) Strict Liability. Liability attaches if the Factual Claim was materially false at the time of issuance, or, if the Authorized Issuer had programmatic access to the authoritative source system for the underlying fact, materially inconsistent with the source system's status as of the most recent synchronization prior to issuance.

(2) An Authorized Issuer is not strictly liable for the falsification of a claim caused by subsequent changes in the underlying facts after issuance, provided the Issuer complied with all revocation and status-checking protocols defined in Section 325M.02; or

(b) Gross negligence in the verification of Judgmental Claims.

The Authority may satisfy the Solvency Bond requirement through collateral provided by the Subject or Controller, through contracts with private sureties, or through an Authority Reserve Fund as provided in Section 325M.05.

Subd. 9. Unlinkability. "Unlinkability" means a technical and operational property whereby an Authorized Issuer must not collect, retain, or have access to the specific Relying Parties with whom a Subject interacts, except as strictly necessary for revocation and security purposes. Technical specifications for compliant presentation protocols shall be established by rule of the Commissioner. Implementation of this subdivision is subject to federal preemption regarding anti-money laundering and know-your-customer requirements.

Subd. 10. Relying Party. "Relying Party" means a person or entity that receives, verifies, and relies upon an Attribute Credential to make a decision, provide access, or enter into a transaction with a Subject or Controller.

Subd. 11. Claim. "Claim" means an assertion contained in an Attribute Credential regarding a Subject.

Subd. 12. Factual Claim. "Factual Claim" means a Claim that is objectively verifiable at the time of issuance, including the existence of a status, license, registration, bond, or other condition as of a stated date and time, and excluding predictive, interpretive, or opinion-based assessments.

Subd. 13. Judgmental Claim. "Judgmental Claim" means a Claim that reflects a discretionary assessment, opinion, prediction, score, rating, or categorization, including risk ratings, creditworthiness, "trust" scores, or similar evaluative statements.

Subd. 14. Fraud. "Fraud" means an intentional misrepresentation of a material fact, or intentional concealment of a material fact where there is a duty to disclose, made with intent to induce reliance and resulting in reliance or attempted reliance. Fraud includes documented evasion of statutory limits through identity multiplication or other schemes as determined under this chapter.

Subd. 15. Holder-Bound Key. "Holder-Bound Key" means a cryptographic key pair controlled by the Subject or Digital Representative and used to prove control of a credential or to produce a compliant presentation, as specified by rule of the Commissioner.

Subd. 16. Minnesota Resident. "Minnesota Resident" means:

(a) For a natural person, an individual domiciled in Minnesota or maintaining a principal place of residence in Minnesota;

(b) For a legal entity, an entity organized under the laws of Minnesota or maintaining its principal place of business in Minnesota; and

(c) For a Digital Representative, a Representative whose Controller is a Minnesota Resident under paragraph (a) or (b).

Subd. 17. Doing Business in Minnesota. "Doing Business in Minnesota" means engaging in regular, systematic, and continuous commercial activity in Minnesota or purposefully directing goods, services, or access decisions to Minnesota Residents.

Subd. 18. Audit Log of Presentation. "Audit Log of Presentation" means a record of an Attribute Credential presentation that includes identifiers or metadata sufficient to link a Subject's presentations across distinct Relying Parties, including the identity of the Relying Party, relying party domain, transaction identifiers, or a copy of the presentation transcript.

Subd. 19. Security Telemetry. "Security Telemetry" means system logs and security records collected for integrity, cybersecurity, and fraud prevention that:

(a) Do not identify the Subject or the specific Relying Parties with whom a Subject interacts; or

(b) Are irreversibly aggregated or pseudonymized such that they cannot reasonably be used to identify a Subject or link presentations across relying parties.

Subd. 20. Nonreversible Identity Token. "Nonreversible Identity Token" means a token generated using a keyed hash, salted hashing, or equivalent tokenization method established by rule of the Commissioner, such that the underlying government identifier values are not reasonably retrievable from the token.

Subd. 21. Verified Identity. "Verified Identity" means the verified identity of a natural person established through documentary or other verification methods specified by rule of the Commissioner and represented within the Negative List as a Nonreversible Identity Token.

Subd. 22. Good Faith Acceptance. "Good Faith Acceptance" means acceptance of an Attribute Credential by a Relying Party that:

(a) Verifies the credential using a presentation protocol approved by rule of the Commissioner, or, until such rules are promulgated, verifies the credential using a protocol conforming to the W3C Verifiable Credentials Data Model v2.0 and the Decentralized Identity Foundation Presentation Exchange specification;

(b) Does not knowingly ignore indicators that the credential has been revoked, altered, or is facially invalid; and

(c) Confirms the revocation status of the credential at the time of presentation via the Authorized Issuer's published revocation registry or status endpoint, unless the credential is explicitly designated as short-lived with a valid expiration timestamp.

Subd. 23. Construction. Nothing in this chapter shall be construed to confer independent legal personhood on non-human Subjects.

SECTION 325M.02: DUTIES & LIABILITY

Subd. 1. Limited Duty to Indemnify.

(a) An Authorized Issuer owes a duty to indemnify a Relying Party that accepts an Attribute Credential in Good Faith Acceptance for losses indemnifiable under section 325M.01, subdivision 8, payable solely from the applicable Solvency Bond maintained for that credential.

(b) The duty described in this subdivision is limited to the amount available under the applicable Solvency Bond and does not create any fiduciary duty, tort duty, or duty of care beyond the obligation to indemnify expressly provided in this chapter.

(c) Collusion Exclusion. No indemnification shall be payable under this section to a Relying Party that is an affiliate, subsidiary, or entity under common control with the Subject or Controller, or where the Relying Party has colluded or engaged in concerted action with the Subject to manufacture the claim.

(d) The obligation to indemnify under this subdivision constitutes the exclusive monetary remedy of a Relying Party against an Authorized Issuer for losses indemnifiable under section 325M.01, subdivision 8 arising from reliance on an Attribute Credential, except as otherwise provided by section 325D.44, or any successor provision, for deceptive trade practices.

Subd. 2. Data Minimization.

A Relying Party that accepts an Attribute Credential must not retain the Audit Log of Presentation for longer than 30 days, unless:

(a) The retention is required by a specific state or federal statute;

(b) The record is subject to an active litigation hold or fraud investigation; or

(c) Safe Harbor for Federal Compliance. Notwithstanding the prohibition in this subdivision, a Relying Party or Authorized Issuer shall not be held liable under this chapter for retaining data to the extent such retention is reasonably necessary to comply with:

(1) Binding federal statutes or regulations;

(2) Formal written guidance published by FinCEN; or

(3) A written directive or documented supervisory matter requiring attention issued to that entity by its prudential federal regulator in the course of supervision.

Assertion of this safe harbor involving Confidential Supervisory Information shall be subject to in camera review by the court or Commissioner to preserve the confidentiality required by federal law.

(d) Security Telemetry Permitted. Nothing in this subdivision shall be construed to prohibit the collection or retention of Security Telemetry as defined in section 325M.01, subdivision 19.

Violation: Retention of Audit Logs of Presentation beyond this period constitutes a "Deceptive Trade Practice" under section 325D.44, or any successor provision, except as permitted by this subdivision.

Subd. 3. Revocation & Due Process.

(a) Emergency Suspension: An Issuer may provisionally suspend a credential immediately upon reasonable suspicion of fraud or exhaustion of the bond.

(b) Right to Hearing: The Controller of a suspended Subject is entitled to petition for administrative review within three (3) business days of notice of suspension. Upon receipt of a valid petition, the Commissioner shall schedule a hearing to occur within ten (10) business days.

(c) Final Revocation: A credential may be permanently revoked only upon a final finding of fraud, breach of contract, or insolvency.

(d) Rulemaking: The Commissioner shall by rule establish minimum revocation and status-checking protocols, including frequency of checks and triggers based on risk profiles.

Subd. 4. The Negative List.

(a) List. An Authorized Issuer must report to the Authority any Controller associated with a revoked credential due to fraud. The Authority shall maintain a consolidated Negative List compiled from such reports.

(b) Identity. This registry must track the Verified Identity of the natural persons behind the Controller entity. The Authority shall represent Verified Identity within the Negative List using a Nonreversible Identity Token generated by the Authority using a keyed hash, salted hashing, or equivalent tokenization method established by rule. The Negative List must not store raw driver's license numbers, passport numbers, or other government identifier values as list entries.

(c) Addition to List. A Verified Identity shall be placed on the Negative List only upon:

(1) A final administrative finding of Fraud, Breach, or Insolvency under Section 325M.02, Subd. 3; or

(2) A court judgment establishing fraud or material misrepresentation in connection with an Attribute Credential.

(d) Reputation Inheritance. A new application for bonding from a Verified Identity on the Negative List--or from any legal entity in which a Verified Identity on the Negative List holds a beneficial ownership interest of 25 percent or more or exercises executive control--shall be subject to enhanced due diligence and 100 percent collateralization requirements.

(1) Provisional Status. A Verified Identity on the Negative List may petition for Provisional Status after twenty-four (24) months. If granted, the Subject may operate with reduced collateralization (not less than 150 percent) subject to real-time transaction monitoring and enhanced reporting as determined by the Authority.

(e) Rehabilitation & Sunset. A Verified Identity placed on the Negative List may petition the Commissioner for removal after five (5) years, provided no further infractions have occurred. The Negative List is classified as Confidential Regulatory Data and is not subject to public disclosure, except to Authorized Issuers for the sole purpose of underwriting.

(f) Appeal. A Verified Identity may appeal placement on the Negative List to the Commissioner within thirty (30) business days of notice. The Commissioner shall issue a final determination within sixty (60) business days.

(g) Notice. The Authority shall provide written notice to any Verified Identity placed on the Negative List within ten (10) business days of placement, transmitted to the contact address provided by the Verified Identity during credentialing. A Verified Identity may update their contact address at any time through the Authority's standard procedures. Failure of delivery due to an outdated, abandoned, or invalid contact address does not constitute a due process violation, provided the Authority transmitted notice to the address on file. In the event of returned or undeliverable notice, the Authority may satisfy notice requirements through publication on its official website for thirty (30) days.

(h) Expedited Correction of Administrative Error. If a Verified Identity believes they were placed on the Negative List due to data entry error, misidentification, or other administrative mistake (as distinct from a substantive dispute regarding the underlying finding), the Verified Identity may petition the Authority for expedited correction. The Authority shall investigate and respond within five (5) business days. If the Authority confirms administrative error, it shall remove or correct the entry within two (2) business days of confirmation and provide written confirmation to the Verified Identity.

(i) Permitted Use. An Authorized Issuer may access and use Negative List information solely for underwriting, bonding, collateralization, issuance, revocation, and compliance decisions under this chapter. Use of Negative List information for employment, housing, education admissions, general credit decisions, or any purpose unrelated to underwriting or bonding under this chapter is prohibited.

(j) No Private Cause of Action. Nothing in this subdivision creates a private right of action against the Authority, the Commissioner, or the State of Minnesota arising from placement, maintenance, removal, or non-removal of a Verified Identity on the Negative List. This paragraph does not limit judicial review of final agency action as otherwise provided by law.

Subd. 5. Scope.

(a) This chapter applies to:

(1) Authorized Issuers and Relying Parties established in Minnesota or Doing Business in Minnesota;

(2) Attribute Credentials presented by or on behalf of Subjects who are Minnesota Residents; and

(3) Transactions in which a Relying Party is located in Minnesota at the time of reliance, or in which the Relying Party purposefully directs goods, services, or access decisions to Minnesota Residents and relies on an Attribute Credential in connection with such activity.

(b) This chapter shall not be construed to regulate conduct wholly outside Minnesota that lacks a substantial nexus to this state.

Subd. 6. Choice of Law. The rights, obligations, and liabilities arising under this chapter shall be governed by and construed in accordance with the laws of the State of Minnesota, without regard to conflict of laws principles. Any action arising under this chapter may be brought in the courts of the State of Minnesota, and all parties subject to this chapter consent to the personal jurisdiction of Minnesota courts for such actions.

SECTION 325M.03: [RESERVED]

SECTION 325M.04: [RESERVED]

SECTION 325M.05: THE MINNESOTA DIGITAL TRUST AUTHORITY (PUBLIC OPTION)

Subd. 1. Establishment & Purpose.

The Minnesota Digital Trust Authority (the "Authority") is established to serve as the Issuer of Last Resort, ensuring that the digital economy remains open to all solvent Subjects.

Construction: The Authority shall be deemed an Authorized Issuer for purposes of this chapter when issuing Attribute Credentials, except where this section provides otherwise.

Subd. 2. Duty to Issue.

The Authority shall issue an Attribute Credential to any Subject if the applicant:

(a) Provides satisfactory evidence of the attribute to be attested;

(b) Posts the required Solvency Bond or collateral if required under this chapter or by rule, except for Sandbox Credentials issued under Subd. 3 and Non-Financial Access Credentials designated under Subd. 6; and

(c) Pays the prescribed issuance fee.

Prohibition on Discrimination: The Authority may not deny an application based on the non-biological status, complexity, or automated nature of the Subject.

Subd. 3. The Sandbox Tier.

(a) The Authority shall establish a "Sandbox Credential" for low-risk experimentation.

(b) Requirements:

(1) Reduced issuance fee;

(2) No Solvency Bond required (liability capped at $0 or covered by a public micro-insurance fund);

(3) Identity verification of the Controller to NIST IAL1 (email/phone) only.

(c) Limitations: A Sandbox Credential is technically restricted to:

(1) Transactions not exceeding $50.00 USD in value; and

(2) A cumulative lifetime transaction volume of $2,000.00 USD.

(d) Anti-Sybil Provisions:

(1) The transaction limits in paragraph (c) attach to the Verified Identity of the natural person behind the Controller, not solely to the Controller entity. The Authority shall track cumulative Sandbox usage by Verified Identity using the Nonreversible Identity Token methodology established under section 325M.01, subdivision 20.

(2) The Authority may deny or revoke Sandbox Credentials if it documents patterns of abuse, including the programmatic creation of multiple Controller identities by a single Verified Identity to evade transaction limits.

(3) The Authority may require enhanced verification (IAL2) for any Verified Identity suspected of pattern abuse.

Construction: A documented pattern of Sandbox abuse undertaken with intent to evade the limitations of this subdivision constitutes "Fraud" for the purposes of the Negative List. The creation of two or more Controller identities within a twelve-month period by a single Verified Identity for the purpose of evading transaction limits creates a rebuttable presumption of such intent.

Subd. 4. Administrative Appeal.

(a) Standing: A Subject, acting through its Controller, has standing to appeal a denial or revocation of a credential by the Authority under Section 325M.05, Subd. 3.

(b) Standard of Review: The Office of Administrative Hearings shall review the Authority's decision de novo, placing the burden on the Authority to prove that the denial was justified by specific statutory criteria.

Subd. 5. Capitalization and Risk of the Authority.

(a) For credentials issued by the Authority under this chapter, the Solvency Bond requirement may be satisfied by:

(1) Collateral or security posted by the Subject or Controller;

(2) Contracts with private surety or insurance providers; or

(3) An Authority reserve fund established for this purpose and funded from fees, penalties, and appropriations as determined by law.

(b) The liability of the Authority and the State of Minnesota for claims arising under this chapter is limited to the amount of Solvency Bonds, collateral, and reserve funds specifically allocated to the Authority for such claims. Nothing in this chapter shall be construed to create a general obligation of the State of Minnesota or to authorize recovery against the State treasury beyond such amounts.

(c) Minimum Capital Requirement Floor. Regardless of the credential mix issued by an Authorized Issuer, no Authorized Issuer (including the Authority when acting as Issuer) shall maintain a Solvency Bond of less than $50,000.00 USD. This floor applies to the aggregate bond requirement and is not reduced by the risk weight of individual credential classes.

(d) Maintenance Margin for Volatile Collateral. If an Authorized Issuer satisfies any portion of its Minimum Capital Requirement through collateral subject to market volatility (including but not limited to Tier 3 and Tier 4 assets as defined by rule), the following requirements apply:

(1) The Authorized Issuer must monitor the recognized value of such collateral daily;

(2) If the recognized value of total posted collateral falls below 90 percent of the Minimum Capital Requirement, the Authorized Issuer must post additional collateral within three (3) business days to restore compliance;

(3) If the recognized value falls below 80 percent, the Authority shall issue an automatic suspension notice, and the Authorized Issuer must cure within one (1) business day or face credential suspension;

(4) The Commissioner shall establish by rule the methodology for daily valuation of volatile collateral.

Subd. 6. Non-Financial Access Credentials.

(a) The Authority shall, by rule, designate certain low-risk, non-financial Attribute Credentials that may be issued without a Solvency Bond, subject to such limitations and caps as the Authority determines necessary to protect the public.

(b) A Non-Financial Access Credential may be used to support access decisions that do not involve monetary transactions or other decisions likely to result in losses indemnifiable under section 325M.01, subdivision 8, as determined by rule.

(c) A Relying Party is not entitled to indemnification under section 325M.02, subdivision 1 for reliance on a Non-Financial Access Credential unless a Solvency Bond, collateral, or dedicated reserve fund has been posted for that credential class by rule.

SECTION 325M.06: RULEMAKING AND EFFECTIVE DATE

Subd. 1. Rulemaking Authority. The Commissioner is authorized to adopt rules necessary to implement and administer this chapter, including but not limited to:

(a) Technical standards for Attribute Credentials, presentation protocols, and revocation mechanisms;

(b) Minimum Capital Requirement calculations, risk weights, and collateral schedules;

(c) Negative List tokenization specifications and access protocols;

(d) Identity verification standards for Controllers and Verified Identities; and

(e) Fee schedules for Authority-issued credentials.

Subd. 2. Transitional Provisions. Until the Commissioner promulgates rules under this section:

(a) Presentation protocols conforming to the W3C Verifiable Credentials Data Model v2.0 and the Decentralized Identity Foundation Presentation Exchange specification shall satisfy the requirements of section 325M.01, subdivision 22;

(b) The risk weights, collateral haircuts, and capital calculations set forth in Commerce Department Guidance Note 2025-01 shall apply; and

(c) The Authority may issue credentials on an interim basis using procedures established by Commissioner's order.

Subd. 3. Effective Date. This chapter is effective August 1, 2026, or upon the earlier date that the Commissioner certifies the Authority is operationally ready to accept applications.

END OF ACT