On May 24, Governor Tim Walz signed into law Minnesota’s new comprehensive data privacy law, the Minnesota Consumer Data Privacy Act (HF 4757 referenced as the MCDPA). The MCDPA goes into effect on July 31, 2025, with some exceptions for colleges and universities (who have until 2029). The MCDPA is similar to other state privacy laws, but with some key differences. These differences mean extra compliance work for agencies and their clients who are already following other privacy laws.
Scope of Applicability and Exemptions
Like many other state privacy laws on the books, the MCDPA includes data processing and revenue thresholds to determine whether the law applies. The MCDPA applies to any person that conducts business in Minnesota or provides products or services that are targeted to Minnesota residents and, during the immediately preceding calendar year, either:
- Controlled or processed the personal data of at least 100,000 Minnesota consumers (excluding that personal data controlled or processed solely for the purpose of completing a payment transaction); or
- Controlled or processed the personal data of at least 25,000 Minnesota consumers and derives more than 25% of their gross revenue from the sale of personal data.
MCDPA also applies to technology providers under Minnesota’s educational data laws (i.e., entities that provide technology to schools).
Specific exemptions exist to the MCDPA’s scope of applicability including entity-level exemptions for government entities, certain financial entities such as banks and insurance companies, small businesses, airlines and federally recognized American Indian tribes. The MCDPA continues a recent trend that we’ve seen in some other state privacy laws including Delaware, Oregon, Colorado, and Maryland of not providing a blanket entity-level exemption for non-profits.
MCDPA’s list of data-level exemptions is fairly standard, including data processed in accordance with a variety of federal laws, including the Health Insurance Portability and Accountability Act, federal research laws, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act and the Farm Credit Act, among others.
Controller Obligations
Per the MCDPA, controllers are required to do the following:
- Limit the collection of personal data to what is adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed and disclosed to the consumer;
- Avoid processing personal data for secondary reasons (purposes that are neither reasonably necessary to nor compatible with the initial disclosed purposes) without the consumer’s prior consent;
- Establish, implement and maintain reasonable administrative, technical and physical data security practices (to protect the confidentiality, integrity and accessibility of personal data appropriate to the volume and nature of the personal data at issue);
- Not collect, process or share sensitive data except where strictly necessary to provide or maintain a specific consumer-requested product or service;
- Not process personal data in violation of laws that prohibit unlawful discrimination against consumers, and refrain from discriminating against consumers that exercise their rights;
- Not process personal data for the purposes of targeted advertising or sell personal data if the controller knows that the consumer is under 16 years of age
- Provide consumers with a reasonably accessible, clear and meaningful privacy notice posted on its homepage using a hyperlink that contains the word “privacy,” that includes the disclosures now common under state consumer privacy laws. A Minnesota-specific privacy notice or section of a privacy policy is not required where the body of the privacy policy otherwise includes the required disclosures.
- Notify consumers if there is any material changes with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer
Unique to the MCDPA is a requirement for controllers to maintain a description of policies and procedures used by the controller to comply with the law. Those documents must (i) include the name and contact information for the individual with responsibility for the policies and (ii) include a description of policies and procedures developed to implement different aspects of MCDPA including, for example, data minimization principles.
Minnesota is also the first state to require in its privacy law that controllers maintain data inventories. Specifically, the Minnesota law directs that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.”
Consumer Rights
The MCDPA, like all other state privacy laws to date, is a consumer rights-based bill. To that end, when it comes to their personal data, Minnesota consumers have the right to access, correct, delete, request data portability, obtain a list of specific third parties to which a company has disclosed the consumer’s personal information, appeal a controller’s data rights decision, and to opt out of targeted advertising. Worth noting, the MCDPA uniquely requires that when responding to consumer requests, controllers may not disclose certain sensitive information to a consumer but can only confirm they have in fact collected that piece of information.
The MCDPA also includes a unique consumer right as it relates to opting out of profiling that is not seen in other states. Where a consumer’s personal data is profiled to advance decisions that produce legal effects or similarly significant effects (e.g., housing, lending, financial, education), a Minnesota has the right to request the result of the profiling, to be informed of the reason that the profiling resulted in the decision and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision. In addition, where the profiling was performed on incorrect data, the consumer has the right to request a correction of the information and a reevaluation of the profile.
Under MCDPA, controllers must respond to a data subject request within 45 days after receipt, with a 45-day extension available as reasonably necessary. If denied, the controller must provide a method to appeal the denial of a request and make the process conspicuously available. A decision on the appeal must be provided within 45 days of receipt of the consumer’s appeal, which can be extended by 60 additional days. If an appeal is denied, the decision must include a method for the consumer to submit a complaint with the Minnesota attorney general.
Sensitive Data
Like most other state privacy laws, the collection and processing of a consumer’s sensitive data requires opt-in consent. Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child, and specific geolocation data.
A unique flavor that we see in the MCDPA is the definition of specific geolocation data. Whereas other state laws define that or similar terms as within a radius of a certain number of feet, under MCDPA, specific geolocation data includes (i) GPS-level latitude and longitude or (ii) other mechanisms, that directly identify the geographic coordinates of a consumer or device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system or (iii) a street address derived from either set of coordinates in (i) or (ii).
Data Protection Assessments
The MCDPA also requires controllers to conduct “data privacy and protection assessment[s]” for:
- Processing personal data for targeted advertising;
- Selling personal data;
- Processing sensitive data;
- Processing involving personal data that presents a heightened risk of harm to consumers (an undefined phrase in MCDPA); and
- Processing personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment; (ii) financial, physical or reputational injury; (iii) a physical or other intrusion on the private affairs of a consumer; or (iv) other substantial injury to consumers.
The assessments must identify and compare the processing activity’s benefits that may flow to all parties and potential risks to consumer rights. Like other state privacy laws, MCDPA allows impact assessments performed for other state privacy laws to satisfy its assessment requirements.
Data Processor Obligations
The MCDPA requires data processors to “assist the controller in meeting [its] obligations” under the law. A controller and processor must enter into a binding contract that governs their data processing, including requiring processors to protect the confidentiality of the data (including ensuring each person processing personal data is subject to a duty of confidentiality), to delete or return personal data to the controller when requested, provide the controller the opportunity to reject any subcontractor, and to impose the same requirements on any subcontractor as imposed on it by the controller.
Universal Opt-Out Mechanisms
Like the data privacy laws of other states, including California, Colorado, Connecticut, Oregon New Jersey, Maryland, Delaware, Nebraska, New Hampshire, Texas, and Montana, the MCDPA requires controllers to allow consumers to opt out of processing their personal data by using universal opt-out mechanisms (UOOMs). Notably, UOOMs that have been approved by other state laws are deemed to comply with the MCDPA.
For questions or further information on state privacy laws, please contact Jim Potter, CHC Executive Director.