On May 24, 2024, the Governor of Minnesota signed MN HF 4757, enacting the Minnesota Consumer Data Privacy Act (MCDPA), a comprehensive state privacy law that will go into effect on July 31, 2025. This new law will ensure the privacy of residents of the State by providing them with privacy rights and by requiring businesses that need to comply with this law to meet certain requirements, such as providing a comprehensive and up to date Privacy Policy, maintaining a data inventory, practicing data minimization and more. In this article, we will be discussing the following aspects of Minnesota’s new privacy law so that you can ensure that you and your business are adequately prepared for this legislative development:
- Who needs to comply with the Minnesota Consumer Data Privacy Act;
- The definition of “personal data” under this law;
- The privacy rights provided to residents of Minnesota;
- The Privacy Policy requirements of Minnesota’s new privacy law;
- Penalties for non-compliance; and
- How Termageddon will handle updates for the MCDPA.
Table of Contents
Who needs to comply with the Minnesota Consumer Data Privacy Act?
The MCDPA applies to legal entities that do business in the Minnesota or that produce products or services that are targeted to residents of Minnesota and that meet one or more of the following thresholds:
- During a calendar year, controls or processes the personal data of 100,000 Minnesota residents or more;
- Derives over 25% of gross revenue from the sale of personal data and processes or controls the personal data of 25,000 Minnesota residents or more.
It is important to note that the MCDPA does not apply to nonprofit organizations that are established to detect and prevent fraudulent acts in connection with insurance, but it will apply to nonprofits that meet the criteria above if they perform their work in other fields. It is also important to note that Minnesota’s new privacy law specifically exempts small businesses, as defined by the United States Small Business Administration from certain compliance requirements. Generally speaking, businesses with less than $2.25 million per year in revenue and less than 100 employees will be considered a “small business” by the SBA. However, businesses exceeding these thresholds may not be considered a “small business” based on their industry. The sole requirement that a small business is subject to is that a small business must not sell a consumer’s sensitive data without their consent.
How does the MCDPA define “personal data”?
Since the Minnesota Consumer Data Privacy Act applies to businesses that collect the personal data of residents of the State, it is important to determine how this law defines “personal data.” The MCDPA defines personal data as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” While the law exempts deidentified data or publicly available information, the following information commonly collected through websites would meet the law’s definition of “personal data”:
- Names
- Emails
- Phone numbers
- Physical addresses
- IP addresses
Note that if you do collect personal data and meet the factors outlined above, you will need to comply with the MCDPA.
What privacy rights does MCDPA provide to residents of Minnesota?
Minnesota’s new privacy law aims to give residents of the State greater control over their personal data by providing them with the following privacy rights:
- Confirm whether or not a controller is processing an individual’s personal data and access the categories of personal data that the controller is processing;
- Correct inaccurate personal data concerning the individual;
- Delete personal data;
- Obtain personal data in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance;
- Opt out of the processing of personal data for the purpose of targeted advertising;
- Opt out of the sale of personal data;
- Opt out of the processing of personal data for the purpose of profiling in furtherance of automated decisions that produce legal or similarly significant effects concerning the individual;
- If personal data is used for profiling, the individual has the right to question the results of the profiling, to be informed of the reason that the profiling resulted in the decision and to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The individual also has the right to review their personal data that is used in the profiling and, if this data is incorrect, to correct such data and for the profiling decision to be reevaluated based upon the corrected data;
- Obtain a list of the specific third parties to whom the controller has disclosed the consumer’s personal data;
- Not be discriminated against based upon the exercise of privacy rights.
Businesses that need to comply with Minnesota’s privacy law will have 45 days to respond to a privacy rights request, though this period may be extended by an additional 45 days if needed. Lastly, residents of Minnesota will also have a right to appeal a privacy rights decision if they are not satisfied with the business’ response.
Privacy Policy requirements of Minnesota’s new privacy law
The Minnesota Consumer Data Privacy Act requires businesses that need to comply with this privacy law to provide individuals with an accessible, clear, and meaningful Privacy Policy that includes the following information:
- The categories of personal data processed;
- The purposes for which the categories of personal data are processed;
- An explanation of the privacy rights provided to residents of Minnesota, including how and where individuals may exercise their rights, as well as appeal a privacy rights decision;
- The categories of personal data sold or shared with third parties, if any;
- The categories of third parties, if any, with whom the data is sold or shared;
- The controller’s contact information;
- A description of the controller’s retention policies for personal data;
- The date the Privacy Policy was last updated;
- Whether personal data is sold;
- Whether personal data is processed for targeted advertising;
- Whether personal data is processed for profiling.
In an attempt to harmonize with other privacy laws, the MCDPA states that businesses are not required to provide a specific Minnesota Privacy Policy or a section within the Privacy Policy that specifically mentions Minnesota if the Privacy Policy contains all of the information listed above.
Penalties for non-compliance
The MCDPA will be enforced by the Minnesota Attorney General who may bring a civil action against a business violating this privacy law and impose a penalty of up to $7,500 per violation. Businesses will have a 30 day right to cure any violations that will expire on January 31, 2026.
How Termageddon will handle Privacy Policy for the MCDPA
We have been tracking this law since it’s been proposed as a bill and will continue tracking any amendments, rules, and regulations that are issued. Termageddon customers will receive a notice to update their Privacy Policies prior to July 31, 2025 and new Privacy Policy text updates will be available for customers who need to comply with this law prior to its enforcement date as well. If you do not currently have a Privacy Policy or do not have a strategy to keep your Privacy Policy up to date with changes such as this one, make sure to check out the Termageddon Privacy Policy generator.