Clifford Chance

On May 19, 2024, Minnesota became the 18th State in the U.S. to enact comprehensive data privacy legislation with Minnesota Governor, Tim Walz, signing HF 4757, the Minnesota Consumer Data Privacy Act (the Minnesota Consumer Data Privacy Act or MCDPA). The MNCDPA comes into effect on July 31, 2025. The MNCDPA joins other U.S. State data privacy laws that are either in effect or will soon come into force (together with the MNCDPA, the State Data Privacy Laws). This article summarizes key provisions of the MNCDPA.

Scope and Applicability

The MNCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to Minnesota residents and satisfy one or more of the following thresholds:

• control or process personal data of 100,000 or more consumers in a calendar year (excluding personal data controlled or processed solely for the purpose of completing a payment transaction)
• derive over twenty-five percent (25%) of gross revenue from the sale of personal data and process or control personal data of 25,000 or more consumers.  

In addition, a controller or a processor acting as a technology provider under Minnesota Statute Section 13.32 (Educational Data) must comply with the MNCDPA, except when the provisions of Section 13.32 conflict with the MNCDPA legislation, in which case Section 13.32 prevails.

In contrast to most other State Data Privacy Laws, the first prong of the MNCDPA's applicability threshold excludes entities that process personal data of Minnesota consumers solely for the purpose of completing a payment transaction, likely exempting many brick-and-mortar stores that only collect payment data. However, the MNCDPA shares similarities with most other State Data Privacy Laws with respect to certain exclusions and exemptions. For example, the MNCDPA like most State Data Privacy Laws other than the California Consumer Privacy Act, as amended by the California Privacy Rights Act (the CCPA), expressly excludes personal data collected or processed from individuals acting in an employment or commercial context (e.g., business-to-business activities). The MNCDPA also does not apply to the processing of personal data by a person "in the course of a purely personal or household activity."

The MNCDPA includes exemptions in line with most other State Data Privacy Laws, and does not apply to State political subdivisions or entities, insurance companies, State or federally chartered banks, healthcare providers and any information or data regulated by certain other privacy laws, including the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act. Like the Texas Data Privacy and Security Act, the MNCDPA exempts small businesses, as defined by the United States Small Business Administration (except with respect to certain obligations regarding sensitive data).  In contrast to most State Data Privacy Laws, the MNCDPA does not include an exemption for institutions of higher education and the nonprofit exemptions are much narrower than those under other State Data Privacy Laws.  This means that the MNCDPA may likely apply to many non-profits.

Controller and Processor Regime

The MNCDPA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union's General Data Protection Regulation, which distinguishes between roles and responsibilities of controllers and processors. The MNCDPA defines a "controller" as an individual or other person that, alone or jointly with others, determines the purpose and means of processing personal data and a "processor" as an individual who processes personal data on behalf of a controller.

The MNCDPA requires controllers to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, discloses:

• the categories of personal data processed by the controller and the purpose of such processing
• the categories of personal data that the controller sells to or shares with third parties, if any
•  the categories of third parties, if any, to whom the controller sells or shares personal data
• how consumers may exercise their privacy rights, including the appeals process
• the controller's contact information
• a description of the controller's retention policy for personal data
• the date the privacy notice was last updated. Controllers may only collect personal data that is "adequate, relevant, and reasonably necessary" for the purposes for which such data is processed.

Controllers are also required to implement and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise those responsibilities. The "maintenance of an inventory of the data" is a novel responsibility for controllers under the MNCDPA when compared to most other State Data Privacy Laws. Another novel requirement under the MNCDPA is the appointment of a chief privacy officer or other individual for directing the controller's policies and procedures for MNCDPA compliance purposes.

Similar to certain other State Data Privacy Laws, the MNCDPA requires that controllers conduct and document data protection assessments in connection with certain processing activities, such as processing personal data for targeted advertising or certain profiling purposes, selling personal data, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers. A data protection assessment must identify and weigh the benefits of the processing activity with potential risks to consumers (as mitigated by the safeguards employed by the controller related to such risks). In contract to some State Data Privacy Laws, data protection assessment obligations under the MNCDPA apply to activities on or after July 31, 2025 (i.e., the statute's effective date), rather than a subsequent date. The MNCDPA also requires that, upon request, a controller make available to the Attorney General, a data privacy and protection assessment that is relevant to an investigation. Controllers may use data protection assessments created pursuant to other laws with similar requirements, including other relevant State Date Privacy Laws, for MNCDPA compliance purposes.

Like most other State Data Privacy Laws, the MNCDPA requires controllers and processors to enter into written contracts which govern the processors' data processing procedures performed on behalf of controllers. The MNCDPA requires contractual provisions that include clear instructions for the processing of applicable data, describe the type of data subject to, and the duration, nature, and purpose of, such processing, and specify the rights and obligations of each party, including compliance inspections and information requests. Processors must be subject to a duty of confidentiality with respect to the applicable data and ensure similar protections when entering into subcontracts with sub-processors and third parties to ensure similar protections.

Consumer Rights and Requests

The MNCDPA provides a variety of individual consumer rights that align with most other State Data Privacy Laws. These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising. The MNCDPA also gives consumers the right to obtain a list of the specific third parties to whom the controller has disclosed the consumer's personal data (or a list of third parties to which the controller has disclosed of any consumers' personal data generally). Furthermore, the MNCDPA provides consumers with the novel right to question the result of certain profiling decisions, to be informed of the reason that profiling resulted in such decisions, and to be informed of what actions the consumer might have taken to secure a different decision in the future.

The MNCDPA also permits parents and guardians to exercise rights on behalf of their children (defined as individuals under the age of thirteen (13)). Children's data must be processed in accordance with the Children's Online Privacy Protection Act, 15 U.S.C. § 6501 et seq. (COPPA), which requires consent from parents or guardians. Similar to the requirements under Connecticut's Data Privacy Act, the MNCDPA requires controllers to provide a mechanism for consumers to revoke previously given consent for personal data concerning a child, the child's parents, or a lawful guardian. Upon revocation of consent, a controller must cease to process applicable data no later than fifteen (15) days after receipt of request.

The MNCDPA grants consumers certain rights with respect to other "sensitive data." The MNCDPA's definition of "sensitive data" is similar to definitions in most other State Data Privacy Laws, which encompass a consumer's racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexuality, citizenship or immigration status, genetic or biometric data, children's data, and precise geolocation data. Similar to certain other State Data Privacy Laws, like the Virginia Consumer Data Protection Act, the MNCDPA provides an "opt-in" regime with respect to the processing of sensitive data where controllers may not process a consumer's sensitive data "without obtaining the consumer's consent" (or in accordance with COPPA if the "sensitive data" is children's data).

Like other State Data Privacy Laws, with regards to discrimination, the MNCDPA notes that a controller shall not process personal data on the basis of a consumer's actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability. The MNCDPA also aligns with many State Data Privacy Laws by prohibiting a controller from discriminating against a consumer for exercising any of the rights contained within the privacy law, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer.

Right to Appeal

Under the MNCDPA, a controller must respond to a consumer's request to exercise a right within forty-five (45) days of receipt of such request. A controller can extend the response period once by an additional forty-five (45) day period when reasonably necessary and in consideration of the complexity and number of consumer requests received within the initial forty-five (45) day period by providing notice and an explanation for the delay to the consumer.

Like most other State Data Privacy Laws, MNCDPA requires that if a controller does not act on a consumer's request, the controller must explain the justification for not taking action and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests. Within forty-five (45) days of receipt of an appeal request, a controller must inform the consumer of any action taken or not taken in response to the appeal, along with a written explanation of the appeal decision. A controller may extend that period by an additional sixty (60) days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within forty-five (45) days of receipt of appeal, together with reasons for delay. If the appeal is denied, the controller must provide the consumer with a written explanation of the reasons for the controller's decision and information about how to file a complaint with the office of the Attorney General.  The Controller must also maintain records of all appeals and the controller's responses for at least twenty-four (24) months, and provide a copy to the Attorney General upon request.

Selling Personal Data

The MNCDPA defines the "sale of personal data" as "the exchange of personal data for monetary or other valuable consideration by the controller to a third party." The MNCDPA also provides exceptions to the "sale of personal data" definition in line with a number of other State Data Privacy Laws, including a controller's disclosure of personal data: 

• to a processor that processes personal data on behalf of the controller
• to a third party for purposes of providing a product or service requested by the consumer
• to the controller's affiliates
• that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience
• to a third party as an asset that is part of a merger, acquisition, bankruptcy, or other transactions.

Additionally, the exchange of personal data between the producer of a good or service and authorized agents of the producer who sells the goods or services is exempted from the "sale of personal data" definition.

As noted above, controllers must provide consumers with the ability to opt-out of the sale  of their personal data. Similar to the Connecticut Data Privacy Act and the Colorado Privacy Act, the MNCDPA requires that controllers provide an opt-out method that uses a preference signal sent with the consumer's consent to the controller. Such an opt-out preference signal:

• may not unfairly disadvantage another controller
• may not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out
• must be consumer friendly and easy to use by the average consumer 
• must be consistent with other similar platform, technology, or mechanism required by any federal or state law regulation
• must enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate business request to opt out of any sale of the consumer's personal data.

Targeted Advertising

The MNCDPA defines "targeted advertising" as "displaying advertisements to a consumer where the advertisement is selected based on personal data obtained or inferred from the consumer's activities over time and across nonaffiliated websites or online applications to predict the consumer's preferences or interests." Like most other State Data Privacy Laws, the MNCDPA expressly excludes certain activities from the definition of "targeted advertising," such as advertisements based on:

• activities within a controller's own websites or online applications
• the context of a consumer's current search query or visit to a website or online application
• the consumer's request for information or feedback
• processing that measures or reports advertising performance, reach, or frequency.

The MNCDPA also imposes the same opt-out requirements on controllers in connection with targeted advertising as it does with respect to the sale of personal data.

Deidentified and Pseudonymous Data

The MNCDPA defines "deidentified data" as data that cannot be reasonably used to infer information or otherwise be linked to an identified or identifiable natural person or device, and such data is expressly excluded from the definition of "personal data." Similar to certain other State Data Privacy Laws, the MNCDPA requires that controllers in possession of deidentified data take reasonable measures to ensure that the data cannot be associated with a natural person and contractually obligate any recipients of deidentified data to comply with all applicable provisions of the MNCDPA. Additionally, like some other State Data Privacy Laws, such as the Virginia Consumer Data Protection Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act, the MNCDPA requires controllers to "publicly commit" not to re-identify deidentified data.

The MNCDPA defines "pseudonymous data" as any information that cannot be attributed to a specific natural person without the use of additional information. Certain consumer personal data rights (e.g., right to access, delete, opt-out, etc.) under the MNCDPA do not apply to pseudonymous data if the controller demonstrates that any additional information necessary to identify the consumer is kept separately and subject to effective technical and organizational controls that prevent the controller from accessing such information. The MCDPA further prohibits any attempt to identify the subjects of data that has been collected solely with pseudonymous identifiers.

The MNCDPA requires controllers that use deidentified and/or pseudonymous data to exercise reasonable oversight to monitor compliance with any contractual commitments with third parties related to such data (including avoiding attempts to re-identify such data) and to take appropriate actions to address any breaches of such contractual commitments.

Enforcement and Penalties

In contrast to the CCPA, the MNCDPA does not provide consumers with a private right of action and is not enforced by a dedicated privacy agency. Rather, the MNCDPA is enforced by the Minnesota Attorney General. Under the MNCDPA, the Minnesota Attorney General, prior to initiating an action, will provide a controller with a "warning letter" that identifies the specific provision(s) alleged to be violated. The controller and/or processor may cure such alleged violations within thirty (30) days after the issuance of such warning letter. If uncured, the Minnesota Attorney General may initiate an action against the controller and/or processor and recover up to $7,500 in civil penalties per violation. The right to cure provision sunsets on January 31, 2026.