On May 24, 2024, the Minnesota Governor signed the Minnesota Consumer Data Privacy Act (“MCDPA”), making Minnesota the eighteenth state to enact a comprehensive privacy law. The new law takes effect on July 31, 2025, for most regulated entities, with certain postsecondary institutions having until July 31, 2029, to comply. The framework and requirements of the MCDPA are similar to other state privacy laws passed within the last year, with some distinctions we highlight below.
Scope
Like several other states’ comprehensive privacy laws that are currently in effect, Minnesota includes a minimum threshold for applicability: (1) personal data of 100,000 consumers (Minnesota residents acting in an individual or household context) or (2) deriving over 25% of their gross revenue from the sale of personal data and controlling or processing personal data of 25,000 consumers or more. The new law defines personal data as any information linked or reasonably linked to an identified or identifiable consumer; personal data does not include deidentified data or publicly available information.
The MCDPA provides several common exemptions but also, along with Texas and Nebraska, also exempts small businesses as defined by U.S. Small Business Administration regulations, however small business may not sell a consumer’s sensitive data without the consumer’s prior consent.
Consumer Rights and Controller Requirements
Like other states’ comprehensive privacy laws, Minnesota gives consumers the right to personal data access, correction, deletion, data portability; to opt out of the processing of their personal data for targeted advertising, sales, or profiling in furtherance of automated decisions that have legal or similar significant effects on consumers; and to obtain a list of the third parties to whom the controller has disclosed their personal data. Although many state privacy laws require sharing a list of categories of third parties with whom data has been shared, Minnesota requires companies to provide a list of the specific third parties upon consumer request. If the company does not keep a list by individual consumer, they can disclose a list of all third parties with which they share consumer personal data.
States have started to include a right to opt out of automated decisions and profiling (e.g., Montana and Nebraska). Minnesota takes that right a step further. When a consumer’s personal data is used for automated decisions that have legal or similar significant effects, consumers also have the right to question the result, to be informed of the reason the profiling resulted in the decision, and (if feasible) to be informed of what actions the consumer might have taken to secure a different decision. Consumers also have a right to access and correct their personal data used in the profiling and to have the profiling decision reevaluated using their corrected data.
For controllers that sell personal data to third parties, process personal data for targeted advertising, or engage in profiling, the MCDPA requires the controller to disclose the processing in the privacy notice and to provide a universal opt-out mechanism. Universal Opt Out signals have become increasingly common in the latest wave of privacy laws being passed (e.g., Delaware, New Jersey, New Hampshire). This method may include an Internet hyperlink clearly labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly effectuates the opt-out request or takes consumers to another page to make the opt-out request.
While most state laws are not prescriptive on requiring privacy policy notice updates to consumers, the MCDPA, similar to the New Jersey Data Privacy Act, requires that when a controller makes a material change to their privacy notice or practices, the controller must notify consumers affected by the material change with respect to any collected personal data after the change goes into effect and provide a reasonable opportunity for consumers to withdraw their consent. The law does not specify how the controller must provide the notice but states “The controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.”
MCDPA requires controllers to describe the policies and procedures they have implemented to comply with the MCDPA. The description must include:
(1) the name and contact information for the person with primary responsibility for directing the policies and procedures implemented to comply with the MCDPA,
(2) a description of the controller’s data privacy policies and procedures developed to implement certain requirements under the MCDPA, such as the controller’s obligation to limit the collection of personal data, and
(3) a description of any policies and procedures designed to prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the controller collected and processed the data, unless retention of the data is otherwise required by law or permitted under MCDPA.
The MCDPA also requires controllers to maintain a data inventory as part of their data security practices.
Enforcement
The MCDPA does not grant a private right of action. Enforcement of the new law is exclusively within the purview of the state attorney general, and MCDPA caps civil penalties at $7,500 per violation, though the definition of a “violation” is open to interpretation. Through January 31, 2026, MCDPA gives controllers a 30-day window to remedy alleged violations before the state attorney general can initiate an enforcement action. Note that MCDPA includes funding to pay for more attorneys in the state attorney general’s office to deal with the issues that arise when the new law takes effect. The law does not provide for the Attorney General to issue regulations,
Our Take
The Minnesota law follows many of the latest state privacy laws, but Minnesota does have some unique components. Reviewing your privacy policies and notices and conducting a gap analysis across the upcoming state privacy laws and comparing against your current compliance efforts to determine any new requirements before the effective date of July 31, 2025, would be a great place to start.
Also, being able to identify the list of third parties a company shares data may not be a simple task, especially historically, if a company is not prepared. At a bare minimum, companies who must comply with MCDPA should start inventorying these companies and develop a plan to keep it evergreen. Moreover, if a company does not want to share all the third-parties to whom they share personal data, then the company needs to build a process to track the sharing of a personal data at the consumer level.
Note especially that regulators are focusing more and more on retention of data. As most companies cannot “flip-the-switch” on record retention as it impacts multiple areas of the business including operations and legal, companies would be wise to start developing a plan to update and revise their information governance strategy and program.
* Rachel Cooper is practices in our Washington, DC office and is licensed to practice law in Maryland. Her work is supervised by our DC partners.