Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Minnesota: Consumer Data Privacy Act approved by Governor

On May 24, 2024, Senate Bill 4757, a bill for an act relating to commerce, containing the Minnesota Consumer Data Privacy Act (the Act), was approved by the Governor of Minnesota.

General provisions of the Act

The Act applies to legal entities that conduct business in Minnesota or produce products or services targeting Minnesota residents and satisfy one or more of the following:

  • during a calendar year, controls or processes personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • derives over 25% of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.

The Act also applies to a controller or processor acting as a technology provider, as well as lists excluded entities, such as small businesses, activities, and types of information.

Furthermore, the Act defines key terms such as 'biometric data,' 'consent,' 'controller,' 'decisions that produce legal or similarly significant effects concerning the consumer,' 'personal data,' 'processing,' and 'sale of personal data.'

Consumer rights

The Act outlines consumer personal data rights, including the right to access, rectification, erasure, portability, and opt out from targeted advertising, sale of personal data, or profiling. Furthermore, the Act provides the consumer with the right to be informed of the reason that the profiling resulted in a decision producing legal effects on a consumer, the right to review the data used in the profiling, and the right to obtain a list of the specific third parties to which personal data was disclosed.

Controller responsibilities

The Act highlights the responsibilities of controllers, which include:

  • transparency obligations regarding the reasonably accessible, clear, and meaningful privacy notice, as well as its content and disclosure;
  • limiting the use of data to what is adequate, relevant, and reasonably necessary in relation to the purposes of processing, including the obligation to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data; and
  • non-discrimination in the processing of personal data.

Data privacy and protection assessment

The Act outlines that a controller must document and maintain a description of the policies and procedures that the controller has adopted to comply with the Act, and provides what the descriptions must include.

Next steps and enforcement

The Act will become effective on July 31, 2025, and will be enforced by the Minnesota Attorney General. The Act does not provide for a private right of action.

You can read the Act here and view its legislative history here.