Embracing Data Privacy: What the Minnesota Consumer Data Privacy Act Means for Your Business
In an era where data privacy is increasingly important, many states are considering or have recently passed data privacy laws. Minnesota joins Maryland, Vermont and several other states currently enacting data privacy legislation that take effect between July 1, 2024 and July 2026.
California was the first state to pass a modern data privacy act with the California Consumer Privacy Act (CCPA) on June 8, 2018, which took effect on January 1, 2020, and was subsequently amended, and expanded by the California Privacy Rights Act (CPRA) on November 3, 2020. Other states followed in order; Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Florida, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Texas, and Nebraska. Most other states are either passing or at least considering data privacy legislation. Businesses need to be aware of and ready to comply with these varying state requirements, especially large national companies.
The Minnesota Consumer Data Privacy Act (MCDPA) was passed into law on May 24, 2024 when Governor Tim Walz signed HF 4757. The Act provides Minnesota residents, as individual consumers, control over their personal data. The law is set to go into effect on July 31, 2025 giving businesses time to adapt their practices and ensure compliance with the new regulations.
This new law will transform how businesses handle consumer data, emphasizing transparency, security, and control. If your business operates in Minnesota or targets its residents, it is crucial to understand and comply with the MCDPA to avoid penalties and build consumer trust.
Who Is Subject to the MCDPA?
The MCDPA casts a wide net, covering businesses that either operate within Minnesota or target its residents, provided they meet certain data processing or revenue thresholds. The Minnesota Consumer Data Privacy Act (MCDPA) applies to businesses that meet one or more of the following criteria with some exceptions for various entities and data categories:
- Data Processing Volume: The business buys, receives, sells, or shares the personal data of 100,000 or more Minnesota consumers annually.
- Data Sales: The business has 25,000 or more Minnesota consumers and derives 25% or more of its annual revenue from selling the personal data of Minnesota
consumers.
Essentially, if you handle a significant volume of personal data or generate substantial revenue from such activities, this law may likely apply to your business.
Businesses that meet one of these criteria, particularly national companies already complying with California’s data privacy act may find they are also subject to other states’ data privacy laws. Minnesota aligned their definitions with California and other states for consistency however, Minnesota introduces some novel provisions. It is important for your company to identify which state laws apply to your consumer data privacy and to develop policies and procedures that comply with each state’s requirements.
Exemptions for Entities and Certain Data
Minnesota, along with most states, exempt certain entities such as government bodies, Indian tribes, chartered banks, and airlines. Minnesota also exempts small businesses, as defined by the SBA, although even a small business must obtain consumer consent before selling sensitive data.
In addition, certain data already subject to federal data privacy regulations, such as HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act and other federal regulations, are exempt. Even if a specific data privacy law does not apply to your business, you should contact an attorney to address data privacy issues with your customers including data protection, management, and breach.
New Rights for Minnesota Residents
One of the cornerstones of the MCDPA is the empowerment of consumers. Minnesota residents will have several robust rights regarding their personal data. They can request access to their data, ask for corrections of inaccuracies, demand deletion, and receive their data in a portable format. The MCDPA provides a unique right for consumer to question the result of profiling decisions regarding themselves allowing them to review, correct, and be informed of any actions they could take to achieve a different decision. Perhaps most significantly, they also have the right to opt out of the sale of their data and targeted advertising. This shift means that businesses must be prepared to handle these requests efficiently and within a specified timeframe, typically 45 days.
Transparency is another key aspect of the MCDPA. Businesses must provide clear and detailed privacy notices that explain their data collection and usage practices. This involves creating a data inventory outlining what data is collected, the purposes for which it is used and any third parties with whom the data is shared. For many businesses, this will require revising existing privacy policies to ensure they are easily accessible and understandable for consumers.
Data Security Requirements
Data security under the MCDPA extends beyond having strong passwords. The Act mandates that businesses implement reasonable security measures to protect personal data. This might involve upgrading current security protocols, conducting regular security audits, and training employees on best practices for data protection. Additionally, having a robust incident response plan is essential to address any potential data breaches promptly.
The Act also introduces the requirement for regular data privacy assessments, especially for high-risk data processing activities like profiling and handling sensitive data. These assessments must be documented and available for review by the Minnesota Attorney General upon request.
Enforcement
There is no private right of action. The Minnesota Attorney General handles compliance however businesses have a thirty-day right to cure until January 31, 2026. Integrating these assessments into your regular compliance or audit frameworks is a proactive step to ensure ongoing adherence to the law.
Changes Businesses Should Make
So, how do you navigate these new regulations? Start with a comprehensive data audit to understand what data you collect, where it comes from, and how it is used. Here are key steps to consider;
- Implement systems to manage consumer rights efficiently, and enhance your data security measures.
- Update your privacy policies to reflect the new requirements, ensuring they are transparent and accessible.
- Review contracts with third parties that store or process your customers’ data.
- Develop a process and assign responsibility for handling consumer data requests.
- Draft or revise your data incident plan.
- Assess your compliance with the MCDPA regularly to ensure you are meeting all requirements.
The MCDPA’s opt-out requirements are particularly significant for businesses engaged in data sales or targeted advertising. Those businesses need to develop clear and user- friendly opt-out mechanisms, ensuring that consumers can easily exercise their rights. Additionally, it is crucial to ensure that any third-party vendors you work with also comply with these opt-out requests.
Summary
The Minnesota Consumer Data Privacy Act (MCDPA) provides enhanced data protection and consumer rights. While it may require substantial adjustments, it also offers an
opportunity to build trust with your consumers and establish your business as a leader in data privacy. By understanding and implementing the requirements of the MCDPA,
you can ensure your business remains compliant and continues to thrive in the evolving digital landscape.
For personalized advice on how the MCDPA affects your business and to ensure full compliance, our legal team is here to help you navigate these new regulations.