Join our mailing list to receive the latest updates and alerts Flag Subscribe

Introduction

On May 24, 2024, Governor Walz signed the Minnesota Consumer Data Privacy Act (MCDPA) into law, making Minnesota the latest state to enact comprehensive privacy legislation. The MCDPA provides Minnesota residents (called “consumers”) with significant new privacy rights and imposes substantial obligations on businesses to which it applies. While those rights and obligations largely align with other state privacy laws—particularly those in Colorado, Connecticut, Iowa and Virginia—the MCDPA has some unique elements as discussed below. Businesses subject to the MCDPA have until July 1, 2025, to come into compliance. The following explains the MCDPA’s key requirements.

Applicability

The MCDPA applies to entities that conduct business in Minnesota or produce products or services targeted to Minnesota consumers, if they meet one of the following thresholds:

  • During a calendar year, control or process personal data of 100,000 consumers or more; or
  • Derive over 25 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more.

For the purposes of the MCDPA, a “sale” includes an exchange of personal data for monetary consideration or “any other valuable consideration.”

In a “first,” the MCDPA specifically applies to “technology providers” that contract with public education agencies and institutions pursuant to Minnesota Statute § 13.32. As a result, the MCDPA appears to have uniquely broad applicability to EdTech companies.

Exemptions

The MCDPA includes exemptions for certain types of businesses and data. The business-level exemptions include governmental entities, federally recognized Indian tribes, “small business” as defined by the U.S. Small Business Administration regulations, air carriers under the Airline Deregulation Act and certain kinds of banks, credit unions and insurance companies. Notably, the MCDPA does not exempt non-profit organizations, except if they are “established to detect and prevent fraudulent acts in connection with insurance.” It also does not include an entity-level exemption for companies that are covered entities or business associates under HIPAA.

The MCDPA’s data-level exemptions are consistent with most other state privacy laws. Specifically, the MCDPA exempts data regulated by HIPAA the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, the Minnesota Insurance Fair Information Reporting Act and various other regulations.

Controllers and Processors

Obligations under the MCDPA apply to “controllers” and “processors”—concepts present in other state privacy laws—in connection with their processing of personal data concerning “consumers.” As mentioned above, the MCDPA defines a “consumer” as a Minnesota resident acting in an individual or household context, but not in a commercial or employment context. This means the MCDPA does not apply to personal data relating to job applicants, employees and individuals acting as business representatives who are Minnesota residents.

A “controller” is a “natural or legal person that, alone or jointly with others, determines the purposes and means of processing personal data.” A processor, in turn, is a “natural or legal person who processes personal data on behalf of a controller.” Determining whether an entity is controller or processor under the MCDPA is “a fact-based determination that depends upon the context in which personal data are to be processed.”

The MCDPA requires the activities of a processor to be governed by a contract with the controller. The contract should identify, among other things, the instructions to which the processor is bound, including “the nature and purpose of the processing, the type of personal data subject to the processing, the duration of the processing and the rights and obligation of both parties.”

A processor is responsible for assisting a controller in meeting its obligations under the MCDPA and must ensure that each person it uses to process personal data for the controller is bound by a duty of confidentiality. The processor can only engage a subcontractor if certain requirements are met, and it provides the controller with an opportunity to object to the subcontractor. Further, the processor must allow for, and contribute to reasonable assessments and inspections, by the controller or the controller’s auditor.

Consumer Rights

The rights available to consumers under the MCDPA generally align with other state privacy laws and will be familiar to businesses subject to such laws. Specifically, the MCDPA provides consumers with the right to:

  • Confirm whether a controller is processing personal data about the consumer and to access the categories of personal data processed by the controller;
  • Correct inaccurate personal data concerning the consumer, taking into account the nature of the data and purposes of processing;
  • Delete the consumer’s personal data (subject to exceptions);
  • Obtain a copy of personal data that the consumer previously provided to the controller, where the data processing is conducted by automated means; and 
  • Obtain a list of the specific third parties to whom the controller disclosed the consumer’s personal data or, if not available, a list of the specific third parties to whom the controller has disclosed any consumers’ personal data. 

In addition, the MCDPA gives consumers the right to opt out of (a) the sale of their personal data (subject to numerous exceptions), (b) the processing of their personal data for targeted advertising and (c) the use of their personal data for profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the consumer (e.g., decisions that result in the approval or denial of financial services, loans, housing, insurance, employment, educational opportunities, etc.). Consumers may designate an authorized agent to exercise these “opt-out” rights on their behalf, including by using specific technologies such as a browser setting, browser extension or global device setting or other universal opt-out mechanism. Controllers must recognize opt-out requests submitted by universal opt-out mechanisms.

In connection with profiling, the MCDPA goes beyond many other state privacy laws. Specifically, the MCDPA gives consumers the right to question the result of profiling that has produced a legal or similarly significant effect, to be informed of the reason that the profiling resulted in that effect, and, if feasible, to be informed of the actions the consumer could have taken to secure a different result and the action the consumer may take to obtain a different result in the future. In addition, consumers have the right to review the personal data used in the profiling and, if inaccurate, to have controllers correct the data and reevaluate the profiling decision.

Timing Requirements for Consumer Rights and Appeals

A controller must provide one or more secure and reliable methods for consumers to submit requests to exercise the foregoing rights. A consumer may exercise the foregoing rights at any time by submitting a request to a controller and identifying the rights the consumer wishes to exercise. The controller, in turn, must act on the request no later than 45 days after receiving the request. In certain circumstances, the controller may extend this period by an additional 45 days.

In addition, a controller must also establish a process allowing consumers to appeal the controller’s denial of, or refusal to act on, a request to exercise rights. If a consumer submits an appeal, the controller must respond within 45 days of receipt explaining the reasons supporting any action taken on the appeal. The controller can extend this period for an additional 60 days where necessary. In responding to an appeal, the controller must also inform the consumer how to file a complaint with the Minnesota Attorney General. The controller has to maintain records of all appeals and its responses for at least 24 months. 

Privacy Program Requirements

The MCDPA imposes several requirements relating to the implementation of a formal privacy program. For example, the MCDPA requires a controller to document and maintain a description of the policies and procedures that it has developed to:

  • Meet the controller’s responsibilities under the MCDPA (e.g., transparency, use of data, non-discrimination);
  • Reflect the MCDPA’s requirements in the design of the controller’s systems;
  • Identify and provide personal data to a consumer pursuant to a request for such information under the MCDPA;
  • Establish, implement and maintain appropriate administrative, technical and physical security practices to protect the confidentiality, integrity and accessibility of personal data, including by maintaining a personal data inventory;
  • Limit collection of personal data to what is adequate, relevant and necessary for the purposes for which data are processed;
  • Prevent the retention of personal data for longer than is relevant and necessary considering the purposes for which the data was collected; and
  • Identify and correct violations of the MCDPA.

Note: the requirement to maintain a personal data inventory is a first for any state privacy law.

In addition, the MCDPA requires a controller to conduct “data privacy and protection assessments” for certain processing activities, including processing personal data in connection with targeted advertising, sales of personal data, processing sensitive data, profiling that presents a heightened risk of harm to consumers and profiling that presents certain types of foreseeable risks (e.g., unfair and deceptive treatment, financial or reputational injury, intrusion on seclusion, etc.).

The purpose of data privacy and protection assessments is to analyze and compare the benefits that the controller, consumer or other stakeholders (including the public) may receive from the proposed processing against the potential risks the processing presents to the rights of the consumer. The controller needs to document and retain such assessments and make them available to the Minnesota Attorney General upon request.

Other Controller Obligations

In addition to operationalizing consumer rights and establishing a privacy program as discussed above, the MCDPA imposes obligations on controllers relating to transparency, personal data use, sensitive data and non-discrimination, which are summarized in turn.

Transparency Obligations

The MCDPA requires a controller to provide consumers with a privacy notice that includes specific disclosures, including: 

  • The categories of personal data processed by the controller; 
  • The purposes for which such categories are processed; 
  • An explanation of rights available under the MCDPA and how the consumer can exercise those rights;
  • The categories of personal data the controller sells or discloses with third parties; 
  • The categories of third parties to whom personal data is sold or disclosed; 
  • The controller’s contact information; 
  • A description of the controller’s retention policies; and 
  • The date the notice was last updated.

Controllers that sell personal data, use it for targeted advertising or engage in profiling are also required to disclose such processing and provide a mechanism a consumer can use to exercise their opt-out rights. This mechanism is typically a conspicuous hyperlink on the controller’s website (e.g., “Your Opt-Out Rights”) that allows the consumer to opt out or takes them to a web page where they can do so.

Significantly, the MCDPA requires controllers to notify consumers of any material changes to the privacy policy that affect them and provide the consumers an opportunity to withdraw consent for further processing of their personal data if it is materially different from when the personal data was collected.

Data Use and Protection

Like other state privacy laws, the MCDPA mandates data minimization. Controllers are required to limit collection of personal data to “what is adequate, relevant and reasonably necessary in relation to the purposes for which the data are processed.” Further, controllers cannot process personal data for purposes that are not “reasonably necessary to, or compatible with” the purposes for which the data was collected, absent consent. Finally, absent a legal requirement to the contrary, controllers cannot retain personal data that is no longer relevant or necessary in relation to the purposes for which it was originally collected.

Sensitive Data

The MCDPA provides heightened protections for “sensitive data”—which is defined to include biometric information, specific geolocation data, personal data of a child and personal data relating to race, ethnic origin, religious beliefs, mental or physical health condition, sexual orientation, citizenship or immigration status. Specifically, a controller cannot process such data without first obtaining the consumer’s consent or, in the case of a child, consent from the parent or lawful guardian. In addition, a controller must establish a mechanism for consumers to revoke their consent and must cease processing within 15 days after receiving a revocation notice.

Notwithstanding their general exemption, “small businesses” that conduct business in Minnesota or target products or services at consumers are prohibited from selling sensitive data without prior consent.

Prohibition on Discrimination

The MCDPA contains two non-discrimination provisions. First, controllers are prohibited from processing personal data based on certain actual or perceived characteristics (e.g., race, color, ethnicity, religion, gender, etc.) in a manner that would unlawfully discriminate against consumers with respect to the provision of housing, employment, credit, education or public accommodations.

Second, controllers are prohibited from discriminating against a consumer for exercising any rights available under the MCDPA. Specifically, a controller cannot refuse to provide, charge different prices or rates or provide different quality goods or services because a consumer exercised rights under the Act. This prohibition does not apply to certain bona fide loyalty and rewards programs.

Enforcement

The MCDPA does not include a private right of action; rather, the Minnesota Attorney General is solely responsible for enforcement. Violations of the MCDPA are subject to injunctive relief and civil penalties up to $7,500 per violation. Currently, the MCDPA requires the Minnesota Attorney General to provide a controller or processor with notice of the specific provisions of the MCDPA that it alleges have been violated and 30 days to cure the violations prior to bringing an enforcement action. This provision, however, expires on January 31, 2026. 

Conclusion

As the privacy landscape continues to change on a state-by-state basis, compliance becomes increasingly challenging. Organizations that need assistance navigating this landscape, or with questions about the MCDPA, should reach out to Sten Hoidal, who chairs Fredrikson’s Data Privacy & Security Group. Look for additional guidance from Sten and his team on the MCDPA in near future.

Professionals

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.