On May 24, 2024, Governor Walz signed into law the Minnesota Consumer Data Privacy Act (MNCDPA). This landmark law is the first set of comprehensive consumer privacy standards specific to Minnesota residents. The law will take effect on July 31, 2025, for most covered entities.
Who Must comply with the MNCDPA?
The law applies to entities that control or process personal data from a significant number of Minnesota residents, or that derive a significant amount of their gross revenue from the sale of personal data. Specifically, it applies to entities that (1) control or process personal data of at least 100,000 Minnesota residents during a year or, (2) derive over 25% of their gross revenue from selling personal data and process or control personal data of at least 25,000 Minnesota residents. These threshold limits are similar to those in many of the other states that have enacted comprehensive consumer data privacy laws.
The MNCDPA also contains several exclusions. For example, small businesses, as defined by the U.S. Small Business Administration, are largely exempt from the MNCDPA, but they must still obtain prior consent before selling any individual’s sensitive data. Certain categories of entities are also excluded from the law’s scope, such as government entities, federally recognized American Indian tribes, state or federally chartered banks, and airlines. In addition, the law also includes the usual data-level exemptions for data processed under certain federal laws, such as protected health information under HIPAA and personal data processed pursuant to the Gramm-Leach-Bliley Act.
What is required by the MNCDPA?
Minnesota provides an expansive list of individual consumer privacy rights and additional requirements that must be enacted by impacted businesses. Like many states, the MNCDPA gives individuals the right to personal data access, correction, deletion, and data portability. Individuals can also opt-out of the sale of their personal data and the processing of their personal data for targeted advertising. Companies that have already complied with existing omnibus state privacy laws like the CCPA will recognize many of these rights.
However, in a first for a comprehensive state privacy law, the MNCDPA not only grants individuals the right to opt-out of profiling used to make decisions that have legal or similar significant impact on consumers, but also grants a variety of additional rights. This includes the right to contest the results of any profiling, as well as the right to know which actions they could have taken to secure a different outcome. There is also a right to review the personal data used in the profiling, to correct any inaccurate data, and then to get the decision reevaluated. This is a unique requirement that could have a significant impact on businesses using artificial intelligence or non-AI algorithms to make automated decisions that impact individuals, such housing determinations, educational enrollment, and access to essential goods and services.
The MNCDPA introduces several unique privacy program requirements, definitions, and documentation. For example, data privacy and protection assessments (DPPAs) must be conducted for high-risk processing activities, including targeted advertising, selling personal data, processing sensitive data, and any processing with heightened risk of harm. Unlike other states, Minnesota’s DPPAs must detail the type of data, its sensitivity, and the context of processing, alongside describing necessary policies and procedures. The law also prohibits discrimination against consumers based on various personal data attributes in areas such as housing, employment, and public accommodations. Notably, the MNCDPA also takes a unique approach to location data, and defines “specific geolocation data” using precise latitude and longitude measurements rather than the more typical approach a radius in feet, setting it apart from other states and possibly requiring businesses to revisit their approach to geolocation data.
Finally and unsurprisingly, the MNCDPA requires covered entities to have a “reasonably accessible, clear, and meaningful privacy notice.” The privacy notice must include, among other things, the purposes for which consumer data is processed, a description of retention policies for personal data, and the categories of data and third parties to whom that data is sold or shared. Fortunately, the MNCDPA does not require an independent Minnesota-specific privacy section, so long as the privacy policy itself meets the content requirements of the law.
How will the MNCDPA be enforced?
The Minnesota Attorney General’s Office will exclusively enforce the MNCDPA, with civil penalties available up to $7,500 per violation. Before January 31, 2026, enforcement must begin with an attorney general warning letter and a 30-day cure period, but any later violations will not be afforded the same opportunity to cure any alleged violations.
Given the complexities of the MNCDPA, we anticipate many organizations will have questions about the Act’s applicability, how to comply, and what steps can be implemented now to stay ahead of the July 31, 2025, effective date. For questions about the MNCPDA and how it may apply or affect your business, reach out to Nadeem Schwen or Lisa Ellingson, co-chairs of our Data Privacy team.