U.S. Laws & Regulations
In recent weeks, significant developments have occurred in the realm of data privacy laws in the United States. The Minnesota governor has signed the Minnesota Consumer Data Privacy Act (MCDPA) into law, while the Vermont Data Privacy Act (VDPA) awaits the governor’s signature. These new laws introduce unique provisions that distinguish them from existing state comprehensive privacy laws.
On May 23, 2024, the U.S. House Committee on Energy and Commerce Subcommittee on Data, Innovation, and Commerce approved a revised draft of the American Privacy Rights Act (APRA), which had been released only 36 hours prior to the markup session. With this approval, the APRA will now proceed to full committee consideration. Truyo President Dan Clarke says, “With Cantwell’s support this is now out of committee, a first for a federal privacy law that gives us optimists renewed hope.”
Let’s take a look at each of these laws and their recent advancements.
Minnesota Consumer Data Privacy Act
The Minnesota Consumer Data Privacy Act (MCDPA) was passed as part of a broader omnibus bill (HF 4757) and signed into law by Governor Tim Walz on May 24, 2023. The MCDPA will take effect on July 31, 2025.
Notable Elements of the MCDPA:
- Right to Challenge Profiling Decisions: Consumers have several rights regarding profiling decisions that produce legal or significant effects, including:
- Questioning the result of profiling.
- Being informed of the reasons behind profiling decisions.
- Understanding actions to secure different future decisions.
- Reviewing personal data used in profiling.
- Correcting inaccurate data and having profiling decisions reevaluated.
- Right to Obtain List of Third-Party Data Recipients: Consumers can obtain a list of specific third parties with whom their personal data has been shared.
- Data Inventory Requirement: Controllers must maintain a data inventory as part of their security practices, although the Act does not provide specific guidance on this requirement.
- Policy Documentation and Chief Privacy Officer: Controllers must document policies and procedures to comply with the Act and identify a chief privacy officer or equivalent individual.
Vermont Data Privacy Act
The Vermont Data Privacy Act (VDPA) was passed by the legislature on May 11, 2023, and is awaiting the governor’s signature. The VDPA would generally take effect on July 1, 2025, with exceptions for certain provisions.
Notable Elements of the VDPA:
- Limited Private Right of Action: The VDPA includes a private right of action for privacy violations, applicable only to data brokers and “large data holders” (companies processing personal data of at least 100,000 Vermont residents). This provision would take effect in 2027 and expire in 2029 unless extended by legislation.
- Step-Down Applicability Thresholds: The VDPA applies to entities conducting business in Vermont or targeting Vermont residents and meeting specific data processing thresholds. These thresholds will gradually lower over time:
- Effective July 1, 2026: Entities controlling or processing personal data of at least 12,500 Vermont residents or deriving more than 20% of revenue from data sales.
- Effective July 1, 2027: Entities controlling or processing personal data of at least 6,250 Vermont residents or deriving more than 20% of revenue from data sales.
- Data Minimization Requirements: Companies must limit data collection to what is “reasonably necessary and proportionate” to deliver requested products or services.
- Right to Obtain List of Third-Party Data Recipients: Similar to the MCDPA, the VDPA allows consumers to obtain a list of third parties with whom their data has been shared.
- Prohibition on Sale of Sensitive Data: The VDPA prohibits the sale of sensitive data, with exceptions for consumer-directed disclosures and those necessary to provide requested services.
- Broad Definitions of Sale and Targeted Advertising: The VDPA defines “sale of personal data” and “targeted advertising” more broadly than most state laws, encompassing exchanges for commercial purposes and targeting based on activity across distinct brands owned by the same business.
Congressional Developments: American Privacy Rights Act (APRA)
While states continue to pass new privacy laws, Congress is debating the American Privacy Rights Act (APRA). Currently under evaluation by the House Committee on Energy and Commerce, APRA includes provisions to preempt certain state privacy laws, providing clarity for businesses regarding compliance obligations. However, it also introduces a private right of action, potentially exposing companies to class action risk under the new federal privacy law.
Key Takeaways for Businesses
- Review and Update Compliance Programs: Companies operating in Minnesota and Vermont should review the new laws’ requirements and update their privacy compliance programs accordingly.
- Monitor Federal Developments: Stay informed about the progress of APRA and its potential impact on state-level privacy laws and business compliance.
- Prepare for Increased Litigation Risk: Both state and potential federal laws include provisions that could lead to increased litigation risk, particularly for data brokers and large data holders.
To stay abreast of the latest developments in state and federal privacy law, subscribe to the Truyo Privacy Newsletter at Truyo.com/blog.