On May 24, 2024, Minnesota’s governor signed the 18^th comprehensive state privacy law since California enacted the first comprehensive data privacy legislation in 2018. The Minnesota Consumer Data Privacy Act (“MCDPA”) will take effect on July 31, 2025. The MCDPA is similar in many ways to current data privacy laws but also has some elements unique to the MCDPA.

Like other data privacy laws, the MCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and satisfies one of the following thresholds:

• During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing payment transactions; or
• Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Exempted from the law are government entities, Indian tribes, insurance companies, and chartered banks or credit unions. In a departure from other privacy laws, the MCDPA exempts only non-profit organizations created to detect and prevent fraudulent activities in connection with insurance and it exempts data already governed by other small businesses as defined by the U.S. Small Business Administration. The small business exemption is similar to Texas and Nebraska in that the small business cannot sell a consumer’s sensitive data without the consumer’s prior consent.  The law also contains information exemptions for protected health information and various health records, along with exemptions for information covered under GLBA, HIPAA, FCRA, FERPA, DPPA, Farm Credit Act and COPPA. Additionally, the Minnesota law exempts data collected in the course of an individual applying for employment or being employed, data necessary to administer benefits, and data processed or maintained for emergency contact purposes.

Rights of Consumers

The rights afforded consumers in Minnesota are comparable to other state privacy laws. Minnesota defines consumers as a natural person who is a Minnesota resident acting only in an individual or household context and not acting in a commercial or employment context. Under the MCDPA, consumers have the right to confirm whether a controller is processing their personal data and providing access to their data except that a controller is not required to reveal a trade secret. Minnesota consumers have the right to correct and delete personal data concerning the consumer, to request a copy of their personal data in portable format and opt-out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling. Like Oregon, the MCDPA also allows consumers to obtain a list of third parties to which the controller has disclosed the consumer’s personal data.

One unique right afforded to consumers in Minnesota is the right to be informed of the reason that profiling of the consumer’s personal data resulted in a certain decision and gives the consumer the right to have the data corrected and have the profiling decision reevaluated based upon those changes.

Minnesota also allows consumers to opt-out of the processing of their personal data by using universal opt-out mechanisms and any universal opt-out mechanisms that are compliant with other state laws are deemed compliant with MCDPA.

Controllers must comply with a consumers request to exercise their rights within 45 days and that period may be extended by 45 additional days if reasonably necessary, but the controller must notify the consumer of any extension and the reason for the delay within 45 days of the request. Controllers must provide the requested information free of charge to the consumer, up to twice per year.

Controllers that do not take action on a consumer’s request must provide the consumer the reasons for not taking action and instructions for how to appeal the decision within 45 days of the request. Such an appeal process must be conspicuously available and be easy to use by the average consumer. Following the receipt of an appeal, the controller must inform the consumer of any action taken or not taken in response to the appeal within 45 days. The information provided to the consumer must include an explanation for the controller’s decision and provide information about how to file a complaint with the Minnesota Attorney General. This time period may be extended by an additional 60 days when reasonably necessary, but the controller must inform the consumer of the extension within 45 days of the request. Records related to appeals must be maintained for at least 24 months and a copy of the records must be provided to the Minnesota Attorney General upon request.

Unique to the MCDPA is that controllers must not disclose sensitive information to a consumer in response to a consumer request but may provide sufficient particularity that the controller has collected that type of information including social security numbers, driver’s license number or government issued identification numbers, financial account numbers, health insurance account numbers, medical identification numbers, account passwords, security questions or answers, and biometric data.

Controller Responsibilities

The MCDPA requires controllers to post a privacy notice online through a conspicuous hyperlink using the word “privacy” on the controller’s homepage and the notice should be made available in each language the controller provides a product or service or is an activity related to a product or service that is subject to the privacy notice. Such privacy notice must be “reasonably accessible, clear, and meaningful” and include the categories of personal data being processed by the controller, the purpose for processing the data, an explanation of the consumer’s rights, how they may exercise those rights, the categories of data disclosed to third parties and the categories of third parties to which it may disclose the personal data, the controller’s contact information, including an active email address or other online mechanisms, a description of the controller’s data retention policies, and the date the privacy notice was last updated. Material changes to the privacy notice or practices, require the controller to notify consumers affected by the change and given them a reasonable opportunity to withdraw consent to any materially different collection, processing, or transfer activities.

Controllers which sell personal data to third parties, process personal data for targeted advertising, or engage in profiling must indicate that they do so in the privacy notice and provide a method outside of the privacy notice for consumers to opt-out of the sale, processing or profiling. The method for opt out may include a hyperlink labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly processes the opt-out request or takes consumers to a webpage where the consumer can make the opt-out request.

The MCDPA requires controllers to limit the collection of personal data to what is adequate, relevant and reasonably necessary for the purposes for which the data are processed and must be disclosed to the consumer. The Minnesota law requires controllers to maintain an inventory of data so that they can establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility to personal data.

Controllers must not process sensitive data without the consumer’s consent and in the case of a known child, in accordance with COPPA. An effective mechanism must be provided to the consumer to revoke consent that is at least as easy as the mechanism used to provide consent.

The Minnesota law contains a unique non-discrimination provision that states that a “controller shall not process personal data on the basis of a consumer’s or a class of consumers’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.”

The Minnesota law also provides a first of its kind requirement that the policies and procedures adopted by the controller to comply with the MCDPA contain the contact information for the controller’s chief privacy officer or other individual with primary responsibility. The law also provides that controllers must conduct a data privacy and protection assessment if personal data is processed for purposes of targeted advertising, the sale of personal data, processing sensitive data, involving a heightened risk of consumer harm, and for profiling when the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment or disparate impact on consumers; a financial, physical or reputational injury to consumers; an intrusion upon a consumer’s solitude or private affairs; or other substantial harm to consumers. Additionally, the Minnesota Attorney General may request that a controller disclose a data privacy and protection assessment for their evaluation.

Under the MCDPA, data processors are also subject to responsibilities, including adhering to the instructions of the controller and assisting the controller to meet their obligations under the law.  The Minnesota law requires controllers and processors to enter a clear and binding contract which governs the data processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must also include requirements that the processor is subject to (i) the duty of confidentiality; (ii) to delete or return all personal data as requested by the controller; (iii) allow the controller the opportunity to object to any subcontractor; and (iv) impose the same obligations on any subcontractor as imposed on it by the controller.

Enforcement

The MCDPA affords no private right of action and provides the Minnesota Attorney General with exclusive enforcement authority. Controllers will have a 30-day period to cure alleged violations before an enforcement action may proceed until January 31, 2026.

The Minnesota Attorney General may bring a legal action for civil penalties limited to $7,500 per violation and reasonable attorney's fees.  The Attorney General may also seek injunctive relief to limit identified violations.