Minnesota Governor Signs Consumer Data Privacy Act

On May 24, 2024, Minnesota’s Governor signed the Minnesota Consumer Data Privacy Act (the “Act”) making Minnesota the eighteenth state to enact a comprehensive privacy law. The Act will take effect on July 31, 2025 and contains several unique provisions.

Applicability

The Act applies to legal entities that:

  1. conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota; and
  2. during a calendar year either:
    • control or process the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
    • control or process the personal data of at least 25,000 consumers and derive more than 25% of gross revenue from the sale of personal data.

The Act exempts several types of entities that would otherwise be covered under the above requirements. First, the Act generally exempts “small businesses” as defined by the U.S. Small Business Administration (“SBA”). SBA’s industry-level definitions for a “small business” consider employee number, revenue thresholds, and affiliates in their size calculations. This exemption is unique among the state comprehensive privacy laws.

Second, the Act exempts non-profit organizations established to detect and prevent acts of insurance fraud, but not other non-profit organizations. In general, state comprehensive privacy laws continue to be split on whether such laws apply to non-profit organizations, with states trending towards including them. This distinction may create unique compliance challenges for non-profit organizations.

Finally, the Act provides exemptions for other regulated entities, such as governmental entities and financial institutions governed by the Gramm-Leach-Bliley Act.

In additions to exemptions for certain entities, the Act also includes exemptions similar to those found in other state laws for certain types of information, such as protected health information under HIPAA, personal data processed by a consumer reporting agency under the Fair Credit Reporting Act, personal data processed under the Driver’s Privacy Protection Act, personal data regulated by the Family Educational Rights and Privacy Act, and, as discussed below, employee personal data and business-to-business personal data.

Key Definitions         

Joining the vast majority of state comprehensive privacy laws, the Act narrowly defines “consumer” to mean an individual who is a Minnesota resident acting only in an individual or household context, excluding individuals acting in a commercial or employment context. As a result, employee personal data and business-to-business personal data are not within the scope of the Act.

Also in line with other state comprehensive privacy laws, the Act governs consumers’ “personal data” in addition to a special category of personal data known as “sensitive data,” which it defines as (i) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; (ii) genetic or biometric data processed for the purpose of uniquely identifying an individual; (iii) personal data of a known child (i.e., an individual under thirteen); or (iv) specific geolocation data. However, the Act’s definition of “specific geolocation data” is unique among state comprehensive privacy laws, tying it to geographic coordinates derived from technology that can identify a consumer’s location within a specific degree of accuracy. The typical approach under other state comprehensive privacy laws is to define it within a certain a radius in feet. The Act’s definition may require businesses to revisit their approach to geolocation data. The Act requires data controllers to obtain consent from consumers prior to processing their sensitive data or, in the case of processing of sensitive data of a known child, to process such data in accordance with the federal Children’s Online Privacy Protection Act (COPPA). Further, the Act prohibits “small businesses” (as defined by SBA) from selling sensitive data without receiving prior consent from the consumer.

Under the Act, the “sale” of personal data means the exchange of personal data for monetary or other valuable consideration by the controller to a third party, which also aligns with a majority of other state comprehensive privacy laws. The Act also includes broad exceptions to the definition of “sale” that are similar to exceptions in other state comprehensive privacy laws and that exclude from the Act’s requirements many ordinary business activities, such as disclosure of personal data to a processor who processes the personal data on behalf of a controller, transfers of personal data to an affiliate or a controller, or disclosure of personal data to a third party for the purpose of providing a product or service requested by a consumer.

Compliance

Generally, the Act contains compliance obligations that are substantially similar to those found in the other state comprehensive privacy laws, including the requirement for controllers to provide a compliant privacy notice to consumers and to enter into contracts with processors that process personal data on their behalf. However, the Act requires controllers to notify consumers of material changes to their privacy policies and provide an opportunity to consumers to withdraw consent from any materially-affected collection or processing practices and stipulates that a controller “may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed” unless required by law or permitted under an exception.

The Act requires controllers to conduct and document data protection assessments of any processing activities that involve personal data used in targeting advertising, the sale of personal data, the processing of sensitive data, profiling (in certain instances), or processing that presents a “heightened risk of harm” to consumers, which the Act does not define. While this is like many other state comprehensive privacy laws, the Act goes beyond other state comprehensive privacy laws by requiring controllers to document their broader compliance efforts and keep inventories of the data that must be managed under the Act.

Consumer Rights and Requests

The Act grants consumers the right to request a controller to (1) confirm whether the controller is processing the consumer’s personal data and access such personal data, unless it would require the controller to reveal a trade secret; (2) correct inaccuracies in their personal data (taking into account the nature of the personal data and the purposes of processing such data); (3) delete their personal data; (4) provide a copy of their personal data; and (5) opt out of the processing of the consumer’s personal data for targeted advertising, the sale of personal data, or certain types of profiling. These rights are consistent with the rights granted to consumer under other state comprehensive privacy laws. The Act also grants consumers the right to obtain a list of third parties to which personal data was disclosed.

A novel addition of the Act strengthens consumer opt-out rights for profiling by granting consumers the rights to (1) question the result of the profiling, (2) be informed of the reason the profiling resulted in the decision, and (3) if feasible, be informed of actions the consumer could have taken to result in a different decision. Additionally, the Act grants consumers the right to review the data used in the profiling, and if such data was inaccurate, correct the data and have the profiling decision reevaluated.

A consumer’s authorized agent may opt out of the processing of personal data for targeted advertising or the sale of personal data on the consumer’s behalf. A consumer may authorize such an agent using technology, such as internet browser setting, global settings on an electronic device, or a link to an internet website that indicates a consumer’s intent to opt out.

The Act grants a controller 45 days to respond to consumer requests, which may be extended once by an additional 45 days when reasonably necessary considering the complexity and number of the requests. Additionally, a controller must provide a consumer with an appeals process if it denies a consumer’s request, and a controller has 45 days to respond to an appeal and an option to extend such period by 60 days where reasonably necessary. This appeal process is now common, although not uniform.

Enforcement and Rulemaking Authority

Like most other state comprehensive privacy laws, the Act has no private right of action. Rather, the Minnesota Attorney General has exclusive authority to enforce violations of the Act. The Minnesota Attorney General may seek damages for up to $7,500 for each violation of the Act. However, prior to initiating an enforcement action, the Act requires the Minnesota Attorney General to issue a notice and grant a controller a 30-day cure period. This right to an opportunity to cure expires January 31, 2026.

Conclusion

Though the Act generally has substantial interoperability with other state comprehensive privacy laws, it also contains novel requirements with which controllers will have to comply. In the near future, controllers may find themselves grappling with nearly two dozen state comprehensive privacy laws and varying rights and obligations thereunder. If you would like assistance with, or have any questions about, complying with the Act or other data privacy laws, or need assistance reviewing your data privacy practices, please contact one of our Cybersecurity & Data Privacy attorneys. Check out our U.S. Privacy Laws page for more information.