On May 24, 2024, Minnesota Governor Tim Walz signed into law the Minnesota Consumer Data Privacy Act (MCDPA), making Minnesota the 19th state to implement comprehensive data privacy legislation. The MCDPA is set to take effect on July 31, 2025, with extended compliance deadlines for certain entities. This legislation aligns with privacy frameworks established in other states but introduces unique provisions tailored to Minnesota residents and businesses.

Scope and Exemptions

The MCDPA applies to entities that conduct business in Minnesota or target products and services to Minnesota residents, provided they meet one of the following criteria:

• Control or process the personal data of at least 100,000 consumers annually, excluding data processed solely for payment transactions.

• Control or process the personal data of at least 25,000 consumers and derive over 50% of gross revenue from the sale of personal data.

The act defines a consumer as a Minnesota resident acting in an individual or household context, explicitly excluding individuals acting in a commercial or employment context.

Exemptions

Certain entities are exempt from the MCDPA, including:

• State agencies and political subdivisions.

• Financial institutions subject to the Gramm-Leach-Bliley Act (GLBA).

• Entities covered by the Health Insurance Portability and Accountability Act (HIPAA).

• Nonprofit organizations.

• Higher education institutions, with a compliance deadline extended to July 31, 2029.

Additionally, the MCDPA does not apply to personal data processed solely for payment transactions.

Consumer Rights

The MCDPA grants Minnesota residents several rights concerning their personal data:

• Access: Consumers can confirm whether a controller is processing their personal data and access that data.

• Correction: The right to correct inaccuracies in their personal data.

• Deletion: Consumers can request the deletion of personal data provided by or obtained about them.

• Data Portability: The right to obtain a copy of their personal data in a portable and readily usable format.

• Opt-Out: Consumers can opt out of:

• The sale of personal data.

• Processing of personal data for targeted advertising.

• Profiling in furtherance of decisions that produce legal or similarly significant effects.

Notably, the MCDPA provides consumers with the right to review, understand, question, and correct how personal data has been profiled, a provision that distinguishes it from some other state privacy laws.  

Controller Obligations

Entities subject to the MCDPA must fulfil several obligations:

• Transparency: Provide a clear and accessible privacy notice detailing data collection practices, purposes, and consumer rights.

• Purpose Limitation: Collect personal data only for specified, explicit, and legitimate purposes.

• Data Minimization: Limit data collection to what is adequate, relevant, and necessary for the intended purposes.

• Security: Implement appropriate technical and organizational measures to protect personal data.

• Consent for Sensitive Data: Obtain consumer consent before processing sensitive data, which includes information revealing racial or ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship or immigration status, genetic or biometric data, and precise geolocation data.

• Data Protection Assessments: Conduct and document data protection assessments for processing activities that present a heightened risk of harm to consumers, such as targeted advertising, sale of personal data, and profiling.

Enforcement

The Minnesota Attorney General is authorized to enforce the MCDPA. Before initiating an enforcement action, the Attorney General must issue a warning letter, providing the controller or processor with a 60-day period to cure the alleged violation. Failure to cure may result in civil penalties of up to $7,500 per violation.

Conclusion

The Minnesota Consumer Data Privacy Act represents a significant step in enhancing consumer privacy rights within the state. Businesses operating in Minnesota should proactively assess their data practices to ensure compliance by the July 31, 2025, effective date. Given the unique provisions of the MCDPA, particularly concerning consumer rights related to profiling, organizations must carefully evaluate and adjust their data processing activities to align with the new requirements.