Understanding Minnesota’s New Data Privacy Law: A Guide for Businesses
As the U.S. anticipates a federal privacy law, Minnesota has joined the growing list of states implementing their own data privacy regulations. Minnesota’s new data privacy law, the Minnesota Consumer Data Privacy Act (MCDPA), stands out with its unique requirements around profiling, definitions of handling sensitive data, and requirements for data inventories. This blog explores the essentials of the MCDPA and what businesses must do to comply.
Enacted on May 24, 2024, and taking effect on July 31, 2025, the MCDPA aims to protect the personal data of Minnesota residents. Businesses will need to adhere to its guidelines or face penalties from the state Attorney General.
What Is the MCDPA?
The MCDPA is designed to safeguard personal data and set boundaries on what organizations can do with this information. The key aspects include:
- Limiting Data Usage: Organizations must comply with restrictions on collecting and processing personal data.
- Meeting Obligations: Businesses must implement safeguards, assess risks, and respect consumer rights.
- Empowering Consumers: Providing consumers with right to control their personal information.
MCDPA Thresholds: Who Must Comply?
The MCDPA applies to organizations targeting Minnesota residents that meet at least one of the following criteria:
- Control or process the personal data of 100,000 consumers or more annually.
- Derive over 25% of gross revenue from the sale of personal data and process data of 25,000 consumers or more.
Consumer Rights Under the MCDPA
The MCDPA grants Minnesota residents several rights, aligning with other state privacy laws but with some unique provisions:
- Right to Know: Consumers can inquire about the categories of personal data collected about them.
- Right to Access: Consumers can request a copy of their personal data, provided free of charge in an accessible format.
- Right to Obtain Third-Party List: Consumers can obtain a list of third parties with whom their data has been shared.
- Right to Correction: Consumers can request corrections to inaccurate or incomplete personal information.
- Right to Deletion: Consumers can ask for their personal data to be deleted unless it is needed for specific purposes.
- Right to Opt-Out: Consumers can opt out of targeted advertising, the sale of personal data, or profiling that leads to automated decisions affecting them legally.
- Right to Question Profiling: Consumers can question the results of profiling and receive an explanation of how decisions were made.
- Right to Non-Discrimination: Businesses cannot discriminate against consumers exercising their rights.
- Right to Data Portability: Consumers can receive their data in a structured, machine-readable format and transfer it to another entity.
- Right to Appeal: Consumers can appeal if businesses refuse to act on a request.
Exemptions to the MCDPA
The MCDPA includes several exemptions:
- Small Businesses: Defined by the Small Business Association, small businesses are exempt but must secure explicit opt-in consent before selling sensitive information.
- Data-Level Exemptions: Data governed by regulations such as GLBA, HIPAA, and FERPA is exempt from MCDPA compliance.
- Public Information: Information lawfully available from government records or widely distributed media is exempt.
- Employee Data: Personal data collected in employment contexts is exempt.
- Nonprofits: Specifically, those established to detect and prevent insurance fraud are exempt.
- Legal Obligations: If MCDPA compliance conflicts with other laws providing equal or greater data protection, organizations may be exempt.
Sensitive Data Under the MCDPA
Certain personal information is categorized as “sensitive” under the MCDPA, warranting heightened protection:
- Racial or ethnic origin
- Religious beliefs
- Mental or physical health diagnosis
- Sexual orientation
- Citizenship or immigration status
- Genetic or biometric data
- Data from known children
- Specific geolocation data
However, businesses are only required to notify consumers that they have collected this sensitive information, not disclose it directly.
Privacy Impact Assessments (PIAs)
Organizations must conduct PIAs for specific activities to ensure compliance:
- Targeted advertising
- Sale of personal data
- Processing sensitive data
- Activities posing a heightened risk of harm to consumers
- Profiling that risks unfair treatment, consumer injury, or substantial injury
Unique Requirements: Data Inventories
The MCDPA mandates data inventories as a security practice, aiding organizations in understanding their data processing activities. This requirement is unique among state privacy laws.
Enforcement and Compliance
The Minnesota Attorney General enforces the MCDPA. Violations can result in injunctive relief and fines up to $7,500 per violation. There is a 30-day right to cure, expiring on January 31, 2026.
Compliance with the MCDPA requires familiar privacy practices, such as consent management and privacy notices. However, businesses must pay special attention to PIA processes and the newly mandated data inventories. By preparing for these requirements, businesses can ensure they are ready to comply when the MCDPA takes effect in July 2025. For questions on how Truyo can help you comply with current and upcoming privacy laws, reach out to hello@truyo.com.