Minnesota debuted in the US privacy landscape by enacting the Minnesota Consumer Data Privacy Act. The law received the governorās approval in May 2024 and will take effect in 2025.
What is the Minnesota Consumer Data Privacy Act (MCDPA)?
As data privacy concerns escalate, states across the US are enacting privacy laws. Minnesota has recently entered this realm. Though it shares similarities with other laws, such as the New Hampshire privacy law, it also introduces unique provisions.
The law grants several rights to consumers, including the right to confirm and opt-out, but the one that stands out is the right to question the results of profiling. Along with privacy rights, Minnesota law enforces stringent obligations upon businesses.
Who does the Minnesota Consumer Data Privacy Act apply to?
The Minnesota privacy law applies to businesses operating within the state or targeting products/services to Minnesota residents, provided they fulfil any of the following criteria in a year:
- Control/process the personal data of 100,000 consumers or more, except for completing payment transactions.
- Control/process the personal data of 25,000 consumers or more and gain more than 25% of revenue from the sale of personal data.
The law also extends its scope to technology providers as defined under the Education record law.
Who does the Minnesota Consumer Data Privacy Act not apply to?
MCDPA grants exemptions to certain entities such as government entities, federally recognized Indian tribes, covered entities and protected information under HIPAA, personal data covered by the Gramm-Leach-Bliley Act, etc.
Apart from these standard exemptions, the law also exempts small businesses (except for sensitive data sale provisions), and non-profit organizations that detect and prevent insurance-related fraudulent acts.
What is personal data under the Minnesota Consumer Data Privacy Act?
Personal data under Minnesota privacy law aligns with definitions in other US privacy laws. It is any information that is linked or is reasonably linkable to an identified or identifiable person.
Personal data does not include publicly available information or de-identified data.
Publicly available information includes any information available through government records/widely distributed media or the controller has a reasonable basis to believe that it has been lawfully made available to the general public.
What is sensitive data under the Minnesota Consumer Data Privacy Act?
The following categories of personal data are further categorized as sensitive under Minnesota privacy law and require user consent before their processing:
- Personal data revealing:
- Racial or ethnic origin
- Religious beliefs
- Mental/physical health condition or diagnosis
- Sexual orientation
- Citizenship/immigration status
- Processing of biometric/genetic information to identify a person
- Personal data of an individual known to be a child
- Specific geolocation data
What are the consent requirements under the Minnesota Consumer Data Privacy Act?
Minnesotaās consent requirements are similar to most US privacy laws.
Consent is defined as a freely given, specific, informed and unambiguous indication of the consumerās wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.
Do not rely on acceptance of general or broader terms for consent. Likewise, hovering over, muting, pausing or closing the consent banner/ a piece of such content will not constitute consent.
Do not obtain consent using dark patterns. Later in this blog, we will thoroughly examine the circumstances where businesses are required to obtain consent.
What are the privacy notice requirements under the Minnesota Consumer Data Privacy Act?
The law demands stringent and elaborate privacy notice standards. Let us take a look at what information must be provided in your privacy notice.
- Categories of personal data processed by your business
- The specific purposes of processing
- Consumer rights and how they can be exercised including the appeal process
- Categories of personal data your business sells or shares with third parties
- Categories of such third parties to whom the data is sold or shared with
- Controllerās contact information including an active email address or other online mechanisms
- Controller’s retention policy of personal data
- The last update date of the privacy notice
- If personal data is used for targeted advertising, profiling, or sale, disclose that along with an opt-out link such as “Your Opt-Out Rights” or “Your Privacy Rights.
The privacy notice must be easily accessible and made available in all languages in which your business provides products or services to which the notice applies.
What are the obligations of businesses under the Minnesota Consumer Data Privacy Act?
Businesses to whom the Minnesota law applies must comply with the following obligations:
Transparency
As discussed already, businesses must conspicuously provide an easily understandable privacy policy to consumers. Ensure that they are accessible and useable by persons with disabilities.
Furthermore, inform individuals using any reasonable electronic means about any changes to the privacy policy and allow them to withdraw consent if required. The privacy notice must be accessible via a clear “privacy” link on the controller’s website home page, app store page, or download page. For mobile applications, it should also be available in the app’s settings menu or an equally visible location.
Data minimization
Limit the collection of personal data to what is adequate, relevant or necessary to fulfil the disclosed purpose to the consumer.
Purpose limitation
Businesses cannot use the collected data for any purposes other than those disclosed to the consumer unless they consent to it. It is also important to note that you cannot retain personal data that is no longer relevant or necessary for its original purpose unless required by law.
Security safeguards
Ensure that you have implemented appropriate technical, physical, and administrative security measures proportional to the volume and nature of the data to safeguard the confidentiality of personal data under your control.
Consent
Businesses cannot process sensitive data without the consumerās consent. For children below 13, obtain verifiable parental consent in adherence to the COPPA. To sell sensitive data, all businesses including small businesses must obtain consumer consent.
Furthermore, consent is necessary for processing the personal data of individuals between 13 and 16 years of age for targeted advertising, sale and profiling.
Consumers have the right to revoke their consent at any time. Therefore, you must provide convenient consent withdrawal mechanisms. Upon revocation, stop processing the personal data within 15 days.
Boost user trust with custom
cookie banners
Save time and ensure compliance with customisable banners tailored to global privacy laws
Start your free trial now!14-day free trialCancel anytimeTrusted by 1M+ businesses
Non-discrimination
Minnesota law does not permit discrimination against consumers based on their exercise of rights. But that is not all; there is more you must be cautious of.
Businesses cannot process personal data in a discriminatory manner based on race, colour, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, income source, or disability when offering housing, employment, credit, education, goods, privileges, advantages or public accommodations.
Data privacy policies
Minnesota law creates a unique requirement for businesses to document and maintain a description of policies and procedures to prove their compliance with the obligations imposed by the law. The policy must contain along with the data protection strategies, the name and contact information of the chief privacy officer.
Data privacy and protection assessments
Businesses must conduct assessments for the processing of data involving high risks such as sensitive data, personal data used for profiling, etc. These assessments must be kept confidential.
Contractual relationship
Have a contractual relationship with the processors and third parties involved in processing and ensure their compliance with the law. The contract must determine the nature and purpose of processing, its duration, the types of data processed, etc.
Global opt-outs
The law requires businesses to recognize universal opt-out signals.
Response to consumer requests
Respond to consumer requests within 45 days and if necessary this can be extended to another 45 days after promptly notifying the consumer.
Businesses must also fulfil the request for information by the customer free of charge twice annually per person.
Controllers cannot directly disclose the following in response to a consumer request:
- Social security numbers
- Driver’s licence numbers or other government identifiers
- Financial account numbers
- Health insurance numbers or medical identification numbers
- Account passwords, security questions or answers
- Biometric data.
Appeal
Consumers must establish a process for the consumer to appeal against the refusal of a consumer request. Respond to the appeal within 45 days, which can be extended to another 60 days if necessary.
What are the rights of businesses under the Minnesota Consumer Data Privacy Act?
The Minnesota privacy law empowers consumers with the following rights:
Right to confirm
Consumers have the right to confirm whether the business is processing their personal data and access the categories of such data being processed.
Right to correct
The law also allows consumers to correct any inaccuracies in their personal data.
Right to delete
Consumers can request the deletion of their personal data.
Right to portability
Consumers can obtain the personal data provided by them to the controller in a portable and readily usable format.
Right to opt-out
Consumers have the right to opt out of:
- Targeted advertising
- Profiling
- Sale of personal data
Right to question
This unique right allows consumers to question the results of profiling and to be informed of the reasons for such a decision.
Additionally, they can also review the personal data used for profiling. If it comes out that the profiling decision was based on incorrect information they can correct the data and request reevaluation.
Right to obtain
Consumers can obtain the list of specific third parties with whom their personal data is shared. If the controller does not keep the records specific to the consumer, then he can provide the list of third parties to whom he has shared any consumerās personal data.
Enforcement of the Minnesota Consumer Data Privacy Act
The Attorney General of Minnesota has the exclusive enforcement authority of the law. The law does not grant a private right of action to the consumers.
The law gives a cure provision that expires on January 31, 2026. Before initiating legal action, the AG will provide a warning letter and 30 days to cure the violation. If the violation continues after the cure period, legal action might arise.
The law prescribes a civil injunction and a penalty of $7500 for a single violation.
Checklist: Minnesota Consumer Data Privacy Act compliance
- Practice data minimization and purpose limitation
- Obtain prior consent to process and sell sensitive data
- Do not process the personal data of consumers aged 13 to 16 for targeted advertising, profiling and sale without prior consent
- Adhere to COPPA regulations while processing childrenās personal data (below 13 years)
- Provide opt-out mechanisms for targeted advertising, sale of personal data and profiling
- Recognize global opt-outs
- Provide a clear and accessible privacy notice
- Document and maintain descriptions and policies to demonstrate compliance
- Respond to consumer requests promptly
- Have a contractual relationship with processors and third parties
- Do not discriminate against consumers
- Conduct data protection impact assessments
FAQ on Minnesota privacy law
Yes, the Minnesota governor approved the Consumer Data Privacy Act in May 2024 and will be in effect from July 2025. The law requires businesses to comply with obligations such as data minimization, purpose limitation, privacy notice, consent requirements, etc. Although the law is similar to most US privacy laws, some provisions make the law stand apart.
The Minnesota law confer upon consumers the right to confirm, correct, delete, portability, opt-out, question the results of profiling and the right to obtain the list of third parties with whom personal data is shared.