Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Minnesota: Consumer Data Privacy Act passes Senate and House
On May 19, 2024, the Senate Bill 4942 Omnibus Agriculture, Commerce, Energy, Utilities, Environment and Climate supplemental appropriations, containing Senate Bill 2915 for the Minnesota Consumer Data Privacy Act (the Minnesota Consumer Data Privacy Act) was repassed as amended by Conference, after passing its third reading.
General provisions of the Minnesota Consumer Data Privacy Act
The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services targeting Minnesota residents and satisfy one or more of the following:
- during a calendar year, controls or processes personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- derives over 25% of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.
The Minnesota Consumer Data Privacy Act also applies to a controller or processor acting as a technology provider, as well as lists excluded entities, such as small businesses, activities, and types of information.
Furthermore, the Minnesota Consumer Data Privacy Act defines key terms such as 'biometric data,' 'consent,' 'controller,' 'decisions that produce legal or similarly significant effects concerning the consumer,' 'personal data,' 'processing,' and 'sale of personal data.'
Consumer rights
The Minnesota Consumer Data Privacy Act outlines consumer personal data rights, including the right to access, rectification, erasure, portability, and opt-out from targeted advertising, sale of personal data, or profiling. Furthermore, the Minnesota Consumer Data Privacy Act provides the consumer with the right to be informed of the reason that the profiling resulted in a decision producing legal effects on a consumer, the right to review the data used in the profiling, and the right to obtain a list of the specific third parties to which personal data was disclosed.
Controller responsibilities
The Minnesota Consumer Data Privacy Act highlights the responsibilities of controllers, which include:
- transparency obligations regarding the reasonably accessible, clear, and meaningful privacy notice, as well as its content and disclosure;
- limiting the use of data to what is adequate, relevant, and reasonably necessary in relation to the purposes of processing, including the obligation to establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data; and
- nondiscrimination in the processing of personal data.
Data privacy and protection assessment
The Minnesota Consumer Data Privacy Act outlines that a controller must document and maintain a description of the policies and procedures that the controller has adopted to comply with the Minnesota Consumer Data Privacy Act, and provides what the descriptions must include.
Next steps and enforcement
The omnibus bill will now be sent to the Governor of Minnesota for signature to become law.
If enacted, the Minnesota Consumer Data Privacy Act will become effective on July 31, 2025, and will be enforced by the Minnesota Attorney General. The Minnesota Consumer Data Privacy Act does not provide for a private right of action.
You can read the Minnesota Consumer Data Privacy Act, as engrossed for the third time, here and view its legislative history here.