On May 24, 2024, Minnesota Governor Tim Walz signed into law the nation's 19th comprehensive data privacy law, the Minnesota Consumer Data Privacy Act (the "Minnesota Act"), which will take effect on July 31, 2025.  This law is similar to other US state data privacy laws such as the Washington, New Hampshire, and Maryland laws, and efforts to comply with those laws will largely fulfill the requirements of the Minnesota Act.  However, the Minnesota Act has several unique features, including an exemption for small businesses, and providing consumers with the right to question profiling decisions.

In this latest in our series of articles on US State Data Privacy Laws, we summarize the key components of the Minnesota Act.

To whom does the Minnesota Act apply?

The Minnesota Act imposes obligations on "controllers" – individuals or legal entities that determine the purpose and means of processing personal data – who either conduct business in the state of Minnesota or produce products or services targeted to residents of Minnesota and who, within a calendar year, either:

• Control or process the personal data of at least 100,000 unique Minnesota consumers; or
• Control or process personal data of 25,000 unique Minnesota consumers and derive over 25% of gross revenue from the sale of personal data.

"Personal data" is any information that is "linked or reasonably linkable to an identified or identifiable individual" and excludes publicly available or de-identified information.  "Sale" of personal data is broadly defined, like the California and Connecticut laws, to include not only monetary consideration but also exchange for "other valuable consideration."

Like other state privacy laws, the Minnesota Act exempts several categories of entities, including government entities, Indian tribes, chartered banks or credit unions, and insurance companies. It also exempts certain data governed by other regimes including financial data regulated by the Gramm-Leach-Bliley Act; protected health information governed by the Health Insurance Portability and Accountability Act; consumer credit-reporting data; and data covered by the Drivers' Privacy Protection Act, the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and the Farm Credit Act.  Additionally, the Minnesota Act exempts data for the purposes of job applications or employment, data necessary to administer benefits, as well as data processed or maintained for emergency contact purposes.  The Minnesota Act also exempts nonprofit organizations that are established to detect and prevent insurance fraud.

The Minnesota Act is one of the few state privacy acts (along with Texas and Nebraska) that exempt small businesses (as defined by the United States Small Business Administration), though a small business may not sell a consumer's sensitive data without the consumer's prior consent.

What rights does the Minnesota Act give to consumers?

Minnesota consumers, defined as a natural person who is a Minnesota resident acting only in an individual or household capacity, and not acting in a commercial or employment context, will gain rights that are largely consistent with other states' data privacy regimes.  Consumers may:

• Confirm whether a controller is processing their personal data and providing access to their data, unless providing confirmation and access would require the controller to reveal a trade secret;
• Correct inaccuracies in their personal data;
• Delete personal data concerning them;
• Obtain a copy, in an accessible format, of their personal data processed by the controller (i.e., data portability);
• Opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their personal data, or profiling; and
• Obtain a list of third parties to which the controller has disclosed the consumer's personal data.

The Minnesota Act contains a unique right for consumers, the right to question the results of a controller's profiling. Specifically, consumers have the right to be informed of the reason that the profiling resulted in a specific decision, and be informed of the actions the consumer may take to secure a different decision in the future.  The consumer may also review the consumer's data used in the profiling, and correct inaccurate data for reevaluation.

The Minnesota Act requires controllers who receive a request from a consumer seeking to exercise these rights to respond to the consumer within 45 days.  If it is reasonably necessary to extend that time due to the extent or complexity of the request, the controller must notify the consumer of the extension within 45 days.  Controllers must supply information to a consumer free of charge upon request, up to twice per year.

Controllers must also establish a process for consumers to appeal denials of their requests, within a reasonable time after communicating that denial.  The appeal process must be "conspicuously available" and allow for ease of use.  The controller must respond to an appeal within 45 days, though the controller may extend this time by an additional 60 days where reasonably necessary and through notifying the consumer.  When a controller communicates the result of an appeal to a consumer, the controller must provide the consumer information on how to appeal the results to the Minnesota Attorney General.  The controller must also maintain records of all appeals and its responses for at least 24 months and provide a copy of the records to the Minnesota Attorney General upon request.

An unusual feature of the Minnesota Act is that controllers may not disclose certain sensitive information to a consumer when responding to a consumer request, but may only inform the consumer whether the controller has in fact collected such information.  This sensitive information includes social security numbers, government-issued identification numbers, financial account numbers, account passwords, health insurance account numbers, and biometric data.

What obligations does the Minnesota Act impose on controllers and processors?

The Minnesota Act requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" online privacy notice, posted on its homepage using a hyperlink that contains the word "privacy,"  that includes: the categories of personal data it processes; its purpose for processing the data; an explanation of the consumer's rights and how they may exercise those rights; the categories of third parties to which it may disclose the personal data and which categories of data it may disclose; a description of the controllers' data retention policies; and an active email address or other online mechanism for the consumer to directly contact the controller.  Notably, controllers must electronically notify consumers of any material changes to the privacy notice and provide them a reasonable opportunity to withdraw consent to any materially different processing activities.

If the controller sells personal data, processes personal data for targeted advertising, or engages in profiling, the controller must indicate such within the privacy notice and provide a method outside of the privacy notice for consumers to opt-out of such sale or processing.  The method may include a hyperlink labeled "Your Opt-Out Rights" or "Your Privacy Rights" that directly effectuates the opt-out request or takes consumers to a webpage where the consumer can make the request.

The Minnesota Act does not require a separate privacy notice specific to Minnesota residents if the controller's general privacy notice contains all required information.

Controllers must also:

• Limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" in relation to the disclosed purposes with which the data is processed, which must be disclosed to the consumer.
• Establish and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity and accessibility of personal data that are appropriate for the volume and type of data.
• Disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising and provide a clear and conspicuous link on their website for consumers to opt out.
• Not process "sensitive data" without the consumer's consent, or in the case of a known child, in accordance with the Children's Online Privacy Protection Act ("COPPA").  Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child, and specific geolocation data.
• Provide a mechanism for the consumer to revoke consent that is as easy as the mechanism they used to provide consent.
• Not process data in violation of state and federal laws prohibiting discrimination.
• Not discriminate against consumers based on the exercise of any rights under the Minnesota Act.

Furthermore, controllers must conduct a data protection impact assessment regarding certain classes of data use, including:

• targeted advertising;
• processing sensitive data;
• selling personal data;
• any processing activities involving personal data with a heightened risk of consumer harm; and
• processing data for profiling, if the profiling presents a reasonably foreseeable risk of unfair or deceptive treatment, unlawful disparate impact on consumers, intrusion upon a consumer's solitude or private affairs, or other substantial injury to consumers.

The Minnesota Attorney General may review an assessment for compliance with the law.  Data protection impact assessments that a controller conducted to comply with other states' laws of a similar scope and effect may be used to comply with this requirement, and a single data protection assessment may address multiple sets of comparable operations that include similar activities.

Additionally, controllers must document and maintain a description of its policies and procedures it has adopted to comply with the Minnesota Act including the name and contact information for the Company's chief privacy officer or other individual charged with compliance with the law.

Like the data privacy laws of other states, including California, Connecticut, New Jersey and Texas, the Minnesota Act requires controllers to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms ("UOOMs").  Notably, UOOMs that have been approved by other state laws are deemed to comply with the Minnesota Act.

The Minnesota Act requires data processors to "assist the controller in meeting [its] obligations" under the law.  A controller and processor must enter into a binding contract that governs their data processing, including requiring processors to protect the confidentiality of the data (including ensuring each person processing personal data is subject to a duty of confidentiality), to delete or return personal data to the controller when requested, provide the controller the opportunity to reject any subcontractor, and to impose the same requirements on any subcontractor as imposed on it by the controller.

Enforcement

The Minnesota Attorney General will have exclusive enforcement authority and there is no private right of action available under this act. Until January 31, 2026, the Minnesota Act provides controllers a 30-day period to cure alleged violations before an enforcement action may proceed.

The Attorney General may bring an enforcement action for civil penalties of up to $7,500 per violation and reasonable attorney's fees.  The Attorney General may also seek injunctive relief to curb identified violations.

Summary of Key Aspects of the Minnesota Act

• Allows for Universal Opt-Outs. Like several other states that have passed comprehensive data privacy laws, Minnesota will require controllers to allow consumers to communicate their privacy preferences through UOOMs.
• Expiring 30-day Cure Provision. The Minnesota Act provides for a 30-day cure provision against enforcement actions, but this will expire on January 31, 2026.
• Civil Penalties. The potential of civil penalties of up to $7,500 per violation could lead to substantial fines for controllers or processors unprepared to implement the law or to cure within the prescribed period.
• Small Business Exemption. Small business (as defined by the United States Small Business Administration) are exempt from the Minnesota Act, except for the provision requiring a consumer's prior consent to sell sensitive data.
• Profiling. The Minnesota Act contains the unique right for consumers to question profiling, including the right to ask for the results of profiling and challenge inaccurate information. 
• Conspicuous Opt Out Link. If a controller sells personal data, processes personal data for targeted advertising, or engages in profiling, the controller must provide a method outside of the privacy notice for consumers to opt-out of such sale or processing. 
• Notification of Changes to Privacy Notice. Controllers must electronically notify consumers of any material changes to the privacy notice and provide consumers a reasonable opportunity to withdraw their consent.
• Prohibition on Disclosing Sensitive Data. When responding to consumer requests, controllers may not disclose certain sensitive information to a consumer, but can only confirm they have in fact collected that piece of information.
• Records Retention. Controllers must maintain records of all appeals and its responses for at least 24 months.  Additionally, controllers must retain policies adopted to comply with the law including identifying the primary individual responsible for the controller's compliance (e.g., Chief Privacy Officer).