On May 25, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (the "Act"), which takes effect on July 31, 2025, for most controllers and on July 31, 2029, for certain postsecondary educational institutions. Minnesota is the 18th state to enact a comprehensive consumer data privacy law.
The Act adopts the same framework as most other state privacy laws but includes several novel provisions, including broader rights for Minnesota residents who are subject to profiling in furtherance of decisions that produce legal or similarly significant effects.
We highlight key aspects of the Act below.
Application Thresholds
The Act applies to legal entities that conduct business in Minnesota or produce products or services targeted to Minnesota residents and:
- During a calendar year, control or process personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Derive over 25% of gross revenue from the sale of personal data and process or control personal data of at least 25,000 consumers.
Exemptions
The Act provides the following limited entity-level exemptions:
- Government entities
- Federally recognized Indian tribes
- Covered entities and business associates subject to the Health Insurance Portability and Accountability Act ("HIPAA")
- State or federally chartered banks or credit unions
- Insurance companies
- Small businesses, as defined by the U.S. Small Business Administration (subject to opt-in consent requirement for sale of sensitive data)
- Nonprofits established to detect and prevent insurance fraud
- Air carriers subject to the federal Airline Deregulation Act
The Act also exempts the following types of data:
- Personal health information ("PHI") under HIPAA
- Health records, patient identifying information, human subjects research, data subject to the federal Health Care Quality Improvement Act
- Data derived from any healthcare-related data that is deidentified in accordance with HIPAA requirements
- Data for public health activities and purposes authorized by HIPAA
- Data regulated by:
- the Fair Credit Reporting Act
- the Gramm-Leach-Bliley Act
- the Driver's Privacy Protection Act
- the Family Educational Rights and Privacy Act
- the federal Farm Credit Act
- Data processed or maintained solely:
- On individuals acting as job applicants or employees
- For emergency contact purposes
- Personal data processed as part of a payment-only transaction so long as no consumer data is retained
Controllers and processors that comply with verifiable parental consent requirements under the Children's Online Privacy Protection Act ("COPPA") are deemed compliant with any obligation to obtain parental consent under the Act.
Consumer Rights
The Act affords Minnesota residents the usual consumer rights, including the right to:
- Confirm processing of personal data
- Access categories of personal data being processed
- Correct inaccurate personal data
- Delete personal data
- Port personal data
- Opt out of
- targeted advertising
- the sale of personal data
- profiling in furtherance of automated decisions that produce legal or similarly significant effects
The Act also requires controllers to obtain opt-in consent from consumers who are between 13 and 16 years of age before selling or sharing their personal data for targeted advertising. And it gives consumers the right to obtain a list of specific third parties to whom the controller has disclosed the consumer's personal data, or if that is not possible, a list of specific third parties to whom the controller has disclosed any consumer's personal data.
As noted above, the Act gives unique rights to Minnesota residents who are subject to profiling in further of decisions that produce legal or similarly significant effects, including the right to:
- Question the result of the profiling
- Be informed of the reason that the profiling resulted in the decision
- If possible, be informed of what actions the consumer could have taken to secure a different decision and what actions the consumer could take in the future to do the same
- Review the personal data used in profiling and, if inaccurate, have such data corrected and the profiling decision reevaluated based on the corrected personal data
Entities subject to the Act are required to respond to consumer rights requests within 45 days, subject to a 45-day extension, and establish an appeals process for consumer rights requests, and respond to appeals within 45 days, subject to a 60-day extension.
Information Security
Like other state privacy laws, the Act generally requires companies to maintain reasonable and appropriate data security practices but does not enumerate specific safeguards (such as encryption or multifactor authentication).
However, the Act imposes some unique data security obligations, including requiring controllers to maintain data inventories: "controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities." (emphasis added)
The Act also expressly prohibits controllers from disclosing certain sensitive information—including Social Security numbers, driver's license numbers, health insurance account numbers, financial account numbers, biometric data, and account passwords or security questions and answers—in response to a consumer's request for access to personal data. Instead, controllers must inform the consumer "with sufficient particularity" that the controller has collected that sensitive information.
Privacy Notices
Like other comprehensive state privacy laws, the Act requires controllers to provide consumers a "reasonably accessible, clear, and meaningful" privacy notice on the controller's website home page or on a mobile application's app store page or download page (or if not electronic, by mail) disclosing:
- Categories of personal data processed
- Purposes for which the categories are processed
- How consumers may exercise their rights and appeal decisions regarding their rights
- Categories of personal data shared with third parties
- Categories of third parties with whom personal data is shared
- Whether personal data is sold or shared for targeted advertising
- Any material changes in a controller's privacy notice or practices
Controllers' Obligations
In addition to the obligations listed above, controllers must limit the collection of personal data to what is adequate, relevant, and reasonably necessary for the purpose for which the data or processed, as disclosed to the consumer. Controllers must obtain express consent from consumers before processing personal data for purposes not reasonably necessary to, or compatible with, the disclosed purposes. Controllers also must monitor contractual commitments regarding deidentified or pseudonymous data when they disclose such data to other entities, and they are prohibited from using personal data to unlawfully discriminate against a consumer or from discriminating against consumers for exercising their rights under the Act, except under certain circumstances.
The Act also imposes an unusual requirement that controllers document and maintain a description of the policies and procedures that they adopt to comply with the Act. These policies and procedures must include the name and contact information of the chief privacy officer, or other individual with primary responsibility for compliance, and must describe any policies and procedures designed to:
(1) reflect the requirements of the Act in the design of the controller's systems;
(2) identify and provide personal data to a consumer, as required by the Act;
(3) establish, implement, and maintain reasonable security safeguards, including – as noted above – maintenance of an inventory of the data subject to such safeguards;
(4) comply with data minimization requirements;
(5) prevent the retention of personal data for longer than reasonably necessary or when no longer relevant for the purpose for which the data were collected, unless otherwise required or permitted by law; and
(6) identify and remediate violations of the Act.
Processor Contracts
The Act directs controllers and processors to enter contracts requiring processors to:
- Impose a duty of confidentiality on all individuals processing personal data;
- Provide controllers an opportunity to object to subcontractors and use subcontractors that are subject to the same privacy requirements as the processor;
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk;
- Delete or return personal data at termination of the agreement;
- Demonstrate compliance with the Act upon request; and
- Allow for and contribute to reasonable assessments and inspections of the processor's policies and compliance measures or arrange for an independent assessor to conduct the same and provide a report of the assessment to the controller.
Universal Opt-Out Mechanisms
Controllers must respond to requests to opt out of sales or targeted advertising made via Universal Opt-Out Mechanisms ("UOOMs"). The UOOM must not unfairly disadvantage another controller or make use of a default setting, be easy to use by the average consumer, be as consistent as possible with other similar mechanisms required by other laws, and enable the controller to accurately determine whether the consumer is a Minnesota resident. The Act expressly allows controllers to use Internet Protocol ("IP") addresses as a proxy for determining the consumer's state of residents.
Definition of Sensitive Data
The Act defines sensitive data to mean:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status
- Genetic or biometric data that is processed for the purpose of uniquely identifying an individual
- Personal data collected from a known child
- Specific location data
Specific geolocation data means information that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.
Like most other state privacy laws, the Act requires controllers to obtain opt-in consent before collecting or otherwise processing sensitive data, unless an exception applies. Small businesses (otherwise exempt from the Act) must obtain opt-in consent before selling a consumer's sensitive data.
Data Protection Assessments
The Act contains typical provisions regarding data protection assessments ("DPAs"), requiring controllers to conduct DPAs for the following processing activities:
- Targeted advertising
- Sales of personal data
- Profiling, if certain risk factors are met
- Processing sensitive data
- Any processing activities that present a "heightened risk of harm"
Enforcement
The Minnesota Attorney General has exclusive authority to enforce the Act. Violators may be subject to an injunction and a civil penalty of up to $7,500 per violation, as well as all or part of the AG's litigation expenses.
The Act does not authorize any rulemaking.
No Private Right of Action
The Act expressly precludes a private right of action for violations of the law.
30-Day Cure Period
The Minnesota Attorney General must give businesses notice and the opportunity to cure an alleged violation within 30 days of receiving the notice.
The right to cure sunsets on July 31, 2026, one year after the Act takes effect.
Looking Ahead
DWT's privacy and security team regularly counsels clients on how their business practices can comply with state privacy laws. We will continue to monitor the rapid development of other state and new federal privacy laws and regulations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.