It’s the season of lists and next on ours: Minnesota! This state joined 18 others to enact comprehensive data privacy legislation in recent years. To avoid being on the “naughty” list, make sure to review your compliance program!
On May 19, 2024, Minnesota Governor Tim Walz (D) signed into law the Minnesota Consumer Data Privacy Act (“MNCDPA”), which will take effect on July 31, 2025. While the MNCDPA’s framework is similar to many other state privacy laws already in effect, the law also includes notable provisions for small businesses and broader consumer rights around profiling. The following article explains what businesses are covered by the law and highlights key provisions of the MNCDPA.
The Minnesota Consumer Data Privacy Act applies to entities that:
Like most other states, the MNCDPA defines a “consumer” as an individual who is a resident of Minnesota and acting only in an individual or household context. This definition specifically excludes individuals acting in a commercial or employment context.
Similarly to many other consumer privacy laws, the first prong of the MNCDPA expressly excludes entities that control or process data for the sole purpose of completing payment transactions.
Finally, the law also applies to entities acting as “technology providers” under Minnesota Statute 13.32, which covers any persons who contract with public educational institutions to provide school-issued devices to students and create, receive, or maintain educational data. This is a notable effort on the part of Minnesota lawmakers to impose this law and its requirements on any business – big or small – providing technology to public schools and should be of key importance to ed tech providers.
The MNCDPA contains a number of categorical exemptions that are in line with many other state privacy laws. The law exempts government entities, federally recognized Indian tribes, state or federally chartered banks and credit unions, insurance companies, and nonprofits established to detect and prevent insurance fraud. Minnesota is one of only a few states to exempt small businesses, as defined by the U.S. Small Business Administration; however, the law makes clear that such small businesses are prohibited from selling a consumer’s sensitive data without prior consent (and are subject to enforcement under the MNCDPA for any violation of this restriction).
Additionally, the MNCDPA exempts certain types of data such as health records, protected health information (“PHI”) under HIPAA, data for public health activities and purposes under HIPAA, consumer credit-reporting data, and information regulated by the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act, the Driver’s Privacy Protection Act, the Farm Credit Act, the Airline Deregulation Act, and the Fair Credit Reporting Act. Note that these exemptions relate to the data and not to the entity, therefore, some personal data collected or processed by entities regulated by the various federal statutes could be required to comply with the MNCDPA as it relates to other types of personal data. The MNCDPA also exempts data processed or maintained for the purposes of job applications or employment, administering benefits, or collecting emergency contact information.
In contrast to some other states, the MNCDPA does not exempt higher educational institutions (though some will not be required to comply with its requirements until 2029). Moreover, the law contains only a narrow exemption for nonprofit organizations that have been established only for the purposes of detecting and preventing fraudulent acts of insurance fraud. Many nonprofits may thus find themselves subject to the provisions of this law and should be prepared to comply with the MNCDPA.
Minnesota consumers have the following rights under the MNCDPA:
Importantly, the MNCDPA includes additional unique rights specific to profiling. If a consumer’s personal data has been profiled in a way that produces legal or similarly significant effects, consumers have the following rights:
Consumers may exercise their rights under the MNCDPA at any time by submitting a request to an entity specifying which rights they wish to exercise. Parents and legal guardians of children under thirteen (13) years of age may exercise such rights on their children’s behalf.
The MNCDPA requires covered entities to:
Covered entities must provide consumers with a “reasonably accessible, clear and meaningful” privacy notice that includes at a minimum the following:
Note that businesses must provide reasonable notice to consumers of any material change to their privacy notice, taking into account available technology and the nature of the consumer relationship. In addition, businesses must provide a reasonable opportunity for those consumers to withdraw consent following the change.
THE DOs – Covered entities must:
THE DON’Ts – Covered entities must not:
Processors such as vendors to covered businesses most often will have direct obligations under the MNCDPA, such as:
A processor must enter into contracts with covered businesses that govern how it processes personal data on the covered businesses’ behalf. The MNCDPA prescribes the following requirements that must be included in data processing agreements between the parties:
Furthermore, the contract must require the processor to do the following:
The MNCDPA defines “deidentified data” as data that cannot reasonably be linked to an identified or identifiable individual, and such data is expressly excluded from the definition of “personal data.” As with other state privacy laws, the MNCDPA requires businesses to take reasonable measures to ensure that such data cannot be associated with an individual and contractually require recipients of deidentified data to comply with such provisions. The MNCDPA, along with a few other states such as Virginia and Connecticut, also requires entities to “publicly commit” to only process data in a deidentified fashion and not attempt to reidentify such data.
Further, the MNCDPA defines “pseudonymous data” as “personal data that cannot be attributed to a specific natural person without the use of additional information.” In cases where entities can show that any additional information necessary to identify a consumer is (i) kept separately and (ii) subject to effective technical and organizational measures that prevent the business from accessing such information, then a consumer’s rights to access, delete, and opt-out will not be available for such pseudonymous data.
In general, the MNCDPA requires businesses that use deidentified or pseudonymous data to exercise reasonable oversight to ensure compliance with contractual commitments with third parties dealing with such data. Businesses should also take prompt and reasonable actions to address any breaches of these provisions.
As with many state consumer privacy laws, the MNCDPA does not provide consumers with a private right of action. The Minnesota Attorney General will have exclusive authority to enforce the MNCDPA.
The law also provides for a thirty-day cure period where, prior to bringing an enforcement action, the Attorney General will provide a violating entity with a “warning letter” identifying the specific provisions of the MNCDPA that have allegedly been violated. Entities will have thirty days to cure alleged violations or else face enforcement action. Readers should note that Minnesota will no longer offer such “cure periods” after January 31, 2026.
If violations are left uncured, the Minnesota Attorney General may initiate enforcement actions against entities to recover up to $7,500 in civil penalties per violation. Violators will also be subject to an injunction and part or all of the Attorney General’s litigation expenses.
[View source.]
See more »
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.
© Mintz – Privacy & Cybersecurity Viewpoints
Refine your interests »
Back to Top
Explore 2024 Readers’ Choice Awards
Copyright © JD Supra, LLC
English 
Français