Article

Minnesota Governor approves new Consumer Data Privacy Act

Published Date
Jun 24 2024
Related people
On May 24 2024, Senate Bill 4757, a bill for an act relating to commerce containing the Minnesota Consumer Data Privacy Act (the 'Act'), was approved by the Governor of Minnesota. The Act, which becomes effective on July 31 2025, aims to give Minnesota consumers more rights in connection with their personal data

Scope of the Act

The Act affects businesses located in Minnesota or that offer products or services to residents of Minnesota and meet certain thresholds regarding the control or processing of personal data. Specifically, it applies to:

(i) those that are handling (during a calendar year) the personal data of 100,000 or more consumers (excluding data for payment transactions) or those are handling the personal data of 25,000 or more consumers if such businesses derive over 25% of their gross revenue from selling personal data; or

(ii) those that are technology providers and contract with education agencies and institutions pursuant to Minnesota Statute § 13.32.

The Act exempts several categories of entities, including government entities, federally recognized American Indian tribes, chartered banks or credit unions, and insurance companies. It also exempts certain data governed by other regimes, including financial data regulated by the Gramm-Leach-Bliley Act, protected health information governed by the Health Insurance Portability and Accountability Act, and consumer credit-reporting data. Small businesses, as defined by federal standards, are also exempt but must still obtain consent to sell sensitive personal data.

Key Aspects of the Act

The Act grants specific rights to consumers who are state residents in Minnesota and acting in a personal or household capacity, not in a commercial or employment context, subject to certain criteria, exemptions, and limitations. These rights include:

  • Verification and access: consumers have the right to confirm whether or not a business is processing their personal data and to access such personal data.
  • Correction: consumers have the right to correct any inaccuracies in their personal data.
  • Deletion: consumers have the right to have their personal data deleted.
  • Data portability: consumers have the right to obtain a copy of their personal data in a usable format.
  • Opt-out rights: consumers can opt out of their personal data being used for targeted advertising, sold, or used in profiling.
  • Disclosure of third parties: consumers can request a list of third parties to whom their data has been disclosed.

 

The Act also contains obligations on applicable businesses, such as limiting personal data collection, requiring consent for secondary data use, and conducting data privacy assessments. Under the Act, applicable businesses must provide clear privacy notices, notify consumers of material changes, and offer withdrawal options. 

While the Act includes provisions similar to those granted under other US state comprehensive privacy laws, the Act also has certain distinctive features, including:

  • Profiling decision rights.  If a consumer’s personal data is used to make a profiling decision against them, the Act gives consumers the right to (i) know the reason behind such a decision and, if possible, what actions could have led to a different outcome and what actions may change future decisions and (ii) review the data used in the profiling decision, have any inaccuracies corrected, and have such decision reevaluated based on the correct data (as set forth in Section 6(1)(g) of the Act).
  • Expansion of consumer rights. The Act grants consumers (i) the right to obtain from a business a list of third parties to which such business has disclosed the consumer’s personal data or, if the business does not maintain this information in a format specific to the consumer, a list of third parties to which the business has disclosed personal data, (ii) the right to request a business to delete all personal data concerning the consumer, and (iii) the right to appeal a refusal by a business to take action on a request to exercise an individual consumer right by such business (as set forth in Section 6(1)(h), Section 6(1)(d)(4)(f) and Section 6(5)of the Act, respectively).
  • Data Processing Agreement (“DPAs”) Required. The Act requires that businesses enter into DPAs with all third parties processing personal data on their behalf (as set forth in Section 5(c) of the Act).
  • Protection for Teens. The Act explicitly prohibits businesses from processing the personal data of consumers for the purpose of targeted advertising where the business knows the consumer is between the ages of 13 and 16 (as set forth in Section 8(2)(f) of the Act).
  • Maintaining a personal data inventory. The Act requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security measures to protect the confidentiality of personal data, including maintaining an inventory of any personal data that must be managed to achieve such measures (as set forth in Section 8(2)(c) of the Act).  

 

Enforcement 

The Act will be enforced by the Minnesota Attorney General's Office. Violations of the Act may incur civil penalties, with fines reaching up to US $7,500 for each instance of non-compliance.

 
The Act is available here, and the legislative history here.