Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Minnesota - Data Protection Overview
Back

Minnesota - Data Protection Overview

June 2024

1. Governing Texts

1.1. Key acts, regulations, directives, bills

On May 24, 2024, the Governor of Minnesota approved the Minnesota Consumer Data Privacy Act (the MCDPA). The MCDPA will take effect from July 31, 2025, but postsecondary institutions regulated by the Office of Higher Education are not required to comply with the MCDPA until July 31, 2029 (§14 of the MCDPA).

1.2. Guidelines

The Attorney General of Minnesota (AG) has not yet issued any guidance.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds Minnesota (§4(1)(a) of the MCDPA):

  • during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing payment transactions; or
  • derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

A controller or processor acting as a technology provider under §13.32 must comply with the MCDPA and §13.32, except when the provisions of §13.32 conflict with the MCDPA, §13.32 prevails.

However, the MCDPA does not apply to government entities and federally recognized Indian tribes (§4(2)(a)(1) and (2) of the MCDPA). The MCDPA does not apply to small businesses, as defined by Title 13 of Part 121 of the United States Small Business Administration under Code of Federal Regulations, except in relation to the sale of sensitive information (§4(2)(a)(19) of the MCDPA).

2.2. Territorial scope

The MCDPA applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota (§4(1)(a) of the MCDPA).

2.3. Material scope

The MCDPA outlines specific information and activities that will be exempt from its scope, including (§4(2)(a)(3)(i) - (vi) of the MCDPA):

  • health records;
  • protected health information, as defined by and for the purposes of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and related regulations;
  • patient-identifying information for the purposes of  §290dd-2 of Part D Subchapter III-A of Chapter 6A of 42 U.S. Code (U.S.C.);
  • information that is derived from any healthcare-related information but that has been deidentified in accordance with the requirements for deidentification set forth in Part 164.514 of Title 45 of the Code of Federal Regulations (C.F.R.);
  • personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act of 1999 and implementing regulations;
  • the collection, maintenance, disclosure, sale, communication, or use of personal information bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, furnisher, or user that provides information for use in a consumer report, and by a use of a consumer report, but only to the extent that the activity is regulated by and authorized under the Federal Fair Credit Reporting Act;
  • personal data collected, processed, sold, or disclosed pursuant to the Farm Credit Act;
  • personal data regulated by the Family Educational Rights and Privacy Act and its implementing regulations;
  • personal data collected, processed, sold, or disclosed in relation to price, route, or service by an air carrier subject to the Federal Airline Deregulation Act; and
  • data collected or maintained;
    • in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role;
    • as the emergency contact information of an individual if used solely for emergency purposes; or
    • that is necessary for the business to retain to administer benefits;
  • a nonprofit organization that is established to detect and prevent fraudulent acts in 163.29 connection with insurance.

The MCDPA also states that it does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity (§11(e)(2) of the MCDPA).

3. Data Protection Authority | Regulatory Authority 

3.1. Main regulator for data protection

The AG is responsible for the enforcement of the MCDPA.

3.2. Main powers, duties and responsibilities

The AG has exclusive authority to enforce violations under the MCDPA.

4. Key Definitions

Data controller: A natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data (§3(h) of the MCDPA).

Data processor: A natural or legal person who processes personal data on behalf of a controller (§3(r) of the MCDPA).

Personal data: Any information that is linked or reasonably linkable to an identified or identifiable natural person. This does not include de-identified data or publicly available information. Publicly available means information that (§3(p) of the MCDPA):

  • is lawfully made available from federal, state, or local government records or widely distributed media; or
  • a controller has a reasonable basis to believe has lawfully been made available to the general public.

Sensitive data: A form of personal data, including (§3(v)(1) - (4) of the MCDPA):

  • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  • the processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
  • the personal data of a known child; or
  • specific geolocation data, meaning information derived from technology according to §3(w) of the MCDPA.

Health data: The MCDPA does not provide a definition for 'health data.' However, the MCDPA adopts the definition of 'genetic information' from §13.386(1) of the Minnesota Statues of 2023.

Biometric data: Data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, a voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual (§3(d) of the MCDPA).

Pseudonymization: Personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (§3(t) of the MCDPA).

Data subject: The MCDPA does not provide a definition for 'data subject;' however, 'consumer is defined as a natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context (§3(g) of the MCDPA).

5. Legal Bases

When processing personal data, processing based on §11 of the MCDPA, the processing must be:

  • necessary, reasonable, and proportionate;
  • adequate, relevant, and limited to what is necessary in relation to the specific purpose(s);
  • insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers.

If a controller processes personal data pursuant to any of the following exemptions, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the principles outlined in the section on principles (§11(g) of the MCDPA). The MCDPA clarifies that processing personal data solely for the purposes expressly identified in §11(a)(1) - (7) of the MCDPA, does not, by itself, make an entity a controller with respect to the processing (§11(h) of the MCDPA).

5.1. Consent

Consent is defined as any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer. Consent does not include:

  • the acceptance of a general or broad terms of use or similar document that contains descriptions of personal data processing along with other, unrelated information;
  • hovering over, muting, pausing, or closing a given piece of content does not constitute consent; or
  • when the consumer's indication has been obtained by a dark pattern.

Unless otherwise provided in the MCDPA, a controller may not process personal data for purposes that are not reasonably necessary to, or compatible with, the purposes for which the personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent (§8(2)(b) of the MCDPA). Furthermore, a controller may not process the personal data of a consumer for purposes of targeted advertising or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16 (§8(2)(f) of the MCDPA).

In line with the above, a consumer may revoke consent previously given. A controller must provide an effective mechanism for a consumer, or in the case of the processing of personal data concerning a known child, the child's parents or lawful guardian, to revoke previously given consent and that the mechanism shall be at least as easy as the mechanism by which consent was previously given. Upon revocation of consent, controllers must cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request (§8(2)(e) of the MCDPA).

5.2. Contract with the data subject

The MCDPA does not specifically provide that personal data can be processed for the performance of a contract with a consumer. However, the MCDPA provides that it does not restrict a controller's or a processor's ability to provide a product or service specifically requested by a consumer, perform a contract to which a consumer is a party, including fulfilling the terms of a written warranty, or take steps at the request of the consumer prior to entering into a contract (§11(a)(5) of the MCDPA).

Additionally, controllers or processors can perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party11(b)(2) of the MCDPA).

5.3. Legal obligations

The MCDPA does not specifically provide that personal data can be processed for the performance of a contract with a consumer. However, the MCDPA provides that it does not restrict a controller's or processor's ability to (§11(a)(1) - (4) of the MCDPA):

  • comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations; and
  • investigate, establish, exercise, prepare for, or defend legal claims

5.4. Interests of the data subject

The MCDPA does not specifically provide that personal data can be processed based on the interest of consumers. However, it does not restrict a controller's or processor's ability to take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another legal person, and where the processing cannot be based on another legal basis (§11(a)(6) of the MCDPA).

5.5. Public interest

The MCDPA does not specifically provide that personal data can be processed based on public interest. However, the MCDPA provides that it does not restrict a controller's or processor's ability to do the following:

  • engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined (§11(a)(9)(i) - (iii) of the MCDPA):
    • the research is likely to provide substantial benefits that do not exclusively accrue to the controller;
    • the expected benefits of the research outweigh the privacy risks; and
    • the controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; and
  • process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is (§11(a)(10)(i) - (ii) of the MCDPA):
    • subject to suitable and specific measures to safeguard the rights of the consumer whose data is being processed; and
    • under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law.

5.6. Legitimate interests of the data controller

The MCDPA does not specifically provide that personal data can be processed based on the legitimate interests of a data controller. However, the MCDPA provides that it does not restrict the controller's or processor's ability to prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, preserve the integrity or security of systems, or investigate, report, or prosecute those responsible for such action (§11(a)(7) of the MCDPA).

Additionally, the bill provides that controllers and processors can effectuate a product recall or identify and repair technical errors that impair existing or intended functionality and conduct internal research to develop, improve, or repair products, services, or technology (§11(b)(1) and (3) of the MCDPA).

5.7. Legal bases in other instances

The MCDPA specifies that its obligations do not limit a controller's or processor's ability to assist another controller, processor, or third party with an obligation under the MCDPA ((§11(a)(8) of the MCDPA).

Furthermore, the obligations imposed do not apply to controllers and processors when compliance by the controller or processor would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication (§11(c) of the MCDPA).

6. Principles

In relation to the use of personal data, the MCDPA provides that a controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer. In addition, a controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.

Nondiscrimination

With regards to nondiscrimination, controllers must not process personal data on the basis of a consumer's or class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminated against the consumer or class of consumers with respect to the offering or provision of housing, employment, credit, education, or goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation (§8(3)(a) of the MCDPA).

7. Controller and Processor Obligations

Deidentified or pseudonymous data

In relation to the processing of deidentified or pseudonymous data, controllers, processors, or third parties that use such data must:

  • exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or deidentified data are subject, and must take appropriate steps to address any breaches of contractual commitments (§7(c) of the MCDPA);
  • not attempt to identify the subjects of de-identified or pseudonymous data without the express authority of the controller that caused the data to be deidentified or pseudonymized (§7(d) of the MCDPA); and
  • not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers (§7(e) of the MCDPA).

Furthermore, the MCDPA does not require a controller or processor to do the following (§7(a)(1) - (3) of the MCDPA):

  • reidentify deidentified data;
  • maintain data in an identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or
  • comply with an authenticated consumer request to access, correct, delete, or port personal data if all of the following apply:
    • the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data;
    • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
    • the controller does not sell the personal data to any third party other than a processor, except as otherwise permitted.

7.1. Data processing notification

The MCDPA does not specifically provide for data processing notification.

7.2. Data transfers

The MCDPA does not specifically address cross-border data transfers but defines 'sale,' 'sell,' or 'sold' as the exchange of personal data for monetary or other valuable consideration by the controller to a third party (§3(u) of the MCDPA).

'Sale' does not include the following (§3(u)(1) - (6) of the MCDPA):

  • the disclosure of personal data to a processor who processes the personal data on behalf of the controller;
  • the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer;
  • the disclosure or transfer of personal data to an affiliate of the controller;
  • the disclosure of information that the consumer intentionally made available to the general public via a channel of mass media and did not restrict to a specific audience;
  • the disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller's assets; or
  • the exchange of personal data between the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer's agents.

§9(a) of the MCDPA specifies that a small business that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota must not sell a consumer's sensitive data without the consumer's prior consent.

Regarding third parties, a controller or processor that discloses personal data to a third-party controller or processor in compliance with the MCDPA is not in violation of the MCDPA if the recipient processes the personal data in violation of the MCDPA, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the MCDPA is not in violation of the MCDPA for the obligations of the controller or processor from which the third-party controller or processor receives the personal data (§11(d) of the MCDPA).

7.3. Data processing records

The MCDPA does not specifically oblige controllers or processors to create and maintain data processing records. However, §10(a) of the MCDPA outlines an obligation on controllers to document and maintain a description of the policies and procedures the controller has adopted to comply with the MCDPA. The description must include, where applicable (§10(a)(1) - (2) of the MCDPA):

  • the name and contact information for the controller's chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the MCDPA; and
  • a description of the controller's data privacy policies and procedures, as well as any policies and procedures designed to:
    • reflect the requirements of the MCDPA in the design of the controller's systems;
    • identify and provide personal data to a consumer;
    • establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise responsibilities;
    • limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed;
    • prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless the retention of data is otherwise required by law or permitted; and
    • identify and remediate violations of the MCDPA.

7.4. Data protection impact assessment

Processors are obliged to provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments (§5(b)(2) of the MCDPA).

Controllers must conduct and document a data privacy and protection assessment for each of the following processing activities (§10(b)(1) - (5) of the MCDPA):

  • the processing of personal data for targeted advertising purposes;
  • the sale of personal data;
  • the processing of sensitive data;
  • any processing activities involving personal data that present a heightened risk of harm to consumers; and
  • the processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of
    • unfair or deceptive treatment of, or disparate impact on, consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
    • other substantial injury to consumers.

The MCDPA states that data privacy and protection assessments must:

  • take into account the type of personal data to be processed by the controller, including the extent to which personal data are sensitive data, and the context in which the personal data are to be processed (§10(c) of the MCDPA);
  • identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks (§10(d) of the MCDPA); and
  • include the description of policies and procedures (§10(e) of the MCDPA).

Data privacy and protection assessments or risk assessments conducted by a controller for the purpose of compliance with other laws or regulations may qualify if the assessments have a similar scope and effect (§10(g) of the MCDPA). As well as this, a single data protection assessment may address multiple sets of comparable processing operations that include similar activities (§10(h) of the MCDPA).

Lastly, controllers must make a data privacy and protection assessment available to the AG upon a written request during an investigation, and the AG may evaluate the data privacy and protection assessments for compliance with the MCDPA. Data privacy and protection assessments are classified as nonpublic data and the disclosure of such to the AG does not constitute a waiver of attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment (§10(f) of the MCDPA).

7.5. Data protection officer appointment

The MCDPA does not specifically address data protection officer appointments but §10(a)(1) of the MCDPA makes reference to a chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the MCDPA, whose details must be provided in the description of policies and procedures.

7.6. Data breach notification

The MCDPA does not specifically provide for breach notification requirements but does specify that processors must assist controllers in meeting the obligations of the controller in relation to the notification of a breach of security or of the system of the processor (§5(b)(2) of the MCDPA).

For further information, see Minnesota - Data Breach.

7.7. Data retention

§10(a)(2)(v) of the MCDPA prevents the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under §11 of the MCDPA on limitations and applicability.

7.8. Children's data

The MCDPA gives the term 'child' the same meaning as in title 14, §6501 of the Children's Online Privacy Protection Act of 1998 (COPPA) and defines 'known child' as a person under circumstances where a controller has actual knowledge of, or willfully disregards, that the person is under 13 years of age (§3((e) and (o) of the MCDPA). The personal data of a known child is considered as 'sensitive data' under §3(v)(3) of the MCDPA.

Except as otherwise provided in the MCDPA, a controller may not process personal data concerning a known child without obtaining consent from the child's parent or lawful guardian in accordance with the requirement of §6501 - 6506 of COPPA and its implementing regulations, rules, and exemptions (§8(2)(d) of the MCDPA).

In the same vein, controllers that are in compliance with COPPA and its implementing regulations shall be deemed compliant with any obligation to obtain parental consent under the MCDPA (§4(b) of the MCDPA).

Targeted advertising and selling of data

According to §8(2)(f) of the MCDPA, controllers may not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16 years.

7.9. Special categories of personal data

Under §8(2)(d) of the MCDPA, controllers may not process sensitive data concerning a consumer without obtaining the consumer's consent, or in the case of the processing of personal data concerning a known child, without obtaining consent from the child's parent or guardian, in accordance with the requirement of the COPPA and its implementing regulations, rules, and exemptions.

In the case of processing of sensitive data, the controller is required to conduct and document a data privacy and protection assessment (§10(b)(3) of the MCDPA).

The MCDPA specifies that a small business that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota, must not sell a consumer's sensitive data without the consumer's prior consent (§9(a) of the MCDPA).

7.10. Controller and processor contracts

Processors must adhere to the instructions of controllers and assist the same in meeting their obligations under the MCDPA, which includes (§5(b) of the MCDPA):

  • taking into account the nature of the processing, implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights;
  • taking into account the nature of processing and the information available to the processor, assisting the controller in meeting the controller's obligations in relation to:
    • the security of processing the personal data; and
    • the notification of a breach of the security of the system; and
  • provide information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required.

The MCDPA outlines that a contract between a controller and a processor must govern the processor's data processing procedures with respect to processing performed on behalf of the controller and processing instructions to which the processor is bound (§5(c) and (e) of the MCDPA). The contract must be binding and must clearly set forth instructions for (§5(c) and (e) of the MCDPA):

  • the nature and purpose of the processing;
  • the type of personal data subject to the processing;
  • the duration of the processing; and
  • the obligations and rights of both parties.

Furthermore, the contract must include requirements, which include:

  • taking into account the context of processing, requirements for implementing appropriate technical and organizational measures by the controller and the processor to ensure a level of security appropriate to the risk and for establishing a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures (§5(d) of the MCDPA);
  • requirements for the processor to:
    • ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data (§5(c)(1) of the MCDPA);
    • engage a subcontractor only after providing the controller with an opportunity to object and pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data (§5(c)(2) of the MCDPA);
    • delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law (§5(e)(1) of the MCDPA);
    • upon reasonable request from the controller, make available to the controller all information necessary to demonstrate compliance with the MCDPA (§5(e)(2) of the MCDPA); and
    • allow for and contribute to reasonable assessments and inspections by the controller or the controller's designated assessor or arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under the MCDPA (§ 5(e)(3) of the MCDPA).

The contract does not relieve a controller or a processor from the liabilities imposed on a controller or processor by virtue of the controller's or processor's roles in the processing relationship (Under §5(f) of the MCDPA).

Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A person that is not limited in the person's processing of personal data pursuant to a controller's instructions, or that fails to adhere to a controller's instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing (§5(g) of the MCDPA).

8. Data Subject Rights

Consumers may exercise their rights by submitting a request, at any time, to a controller specifying which rights the consumer wishes to exercise (§6(2)(a) of the MCDPA). In the case of processing personal data concerning a known child, the parent or legal guardian of the known child may exercise consumer rights on the child's behalf (§6(2)(b) of the MCDPA). With respect to processing personal data concerning a consumer legally subject to guardianship or conservatorship, the guardian or the conservator of the consumer may exercise consumer rights on behalf of the consumer (§6(2)(c) of the MCDPA).

Controllers may not discriminate against a consumer for exercising any of the rights provided for in the MCDPA, including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. This section of the MCDPA does not (§8(3)(b) of the MCDPA):

  • require controllers to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or
  • prohibit controllers from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.

Submission format

Under the MCDPA, controllers must provide one or more secure and reliable means for consumers to submit a request to exercise their consumer rights, taking into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests (§6(4)(b) of the MCDPA). A controller may not require a consumer to create a new account to exercise a right but may require a consumer to use an existing account (§6(4)(c) of the MCDPA).

Response time

A controller must comply with a request to exercise consumer rights as soon as feasibly possible, but no later than 45 days of the receipt of the request (§6(4)(d) of the MCDPA).  

Controllers must inform a consumer of any action taken on a request without undue delay and in any event within 45 days of receipt of the request, the period may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests. The controller must inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay (§6(4)(e) of the MCDPA).

Fees

Information must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request or refuse to act on the request. Importantly, the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request (§6(4)(e) of the MCDPA).

Authentication

Controllers are not required to comply with a request to exercise consumer rights if the controller is unable to authenticate the request using commercially reasonable efforts. In these cases, the controller may request the provision of additional information reasonably necessary to authenticate the request (§6(4)(h) of the MCDPA).

Additionally, controllers are not required to authenticate an opt-out request, but controllers may deny an opt-out request if the controller has good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief (§6(4)(h) of the MCDPA).

Declining requests and appeals

The MCDPA does not require a controller or a processor to comply with an authenticated consumer request to access, correct, delete, or port personal data if the following is true (§7(a)(3) of the MCDPA):

  • the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data;
  • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
  • the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted.

If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller (§6(4)(f) of the MCDPA).

Information provided in response to a consumer request must be provided by the controller free of charge up to twice annually to the consumer. Where requests from a consumer are manifestly unfounded or excessive, in particular, because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request (§6(4)(g) of the MCDPA).

Appeals

Controllers must establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise consumer rights within a reasonable period of time after the consumer's receipt of the notice sent by the controller (§6(5)(a) of the MCDPA). This appeal process must be conspicuously available and must include the ease-of-use provisions applicable to submitting requests (§6(5)(b) of the MCDPA).

Within 45 days of receipt of an appeal, controllers must inform consumers of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. This period may be extended by 60 additional days where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal. The controller must inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay (§6(5)(c) of the MCDPA).

When informing consumers of any action taken or not taken in response to an appeal, the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the AG. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the AG as part of an investigation, comply and provide a copy of the records to the AG (§6(5)(d) of the MCDPA).

Exemptions

The consumers contained in (§6(1)(b) to (e) and (h) do not apply to pseudonymous data in cases where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

8.1. Right to be informed

Consumers have the right to confirm whether or not a controller is processing personal data concerning the consumer (§6(1)(b) of the MCDPA). Additionally, consumers have the right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data (§6(1)(h) of the MCDPA). If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead (§6(1)(h) of the MCDPA).

Importantly, in response to a consumer request, a controller must not disclose the following information about a consumer, but must instead inform the consumer with sufficient particularity that the controller has collected that type of information (§4(1)(i) of the MCDPA):

  • social Security number;
  • driver's license number or other government-issued identification number;
  • financial account number;
  • health insurance account number or medical identification number;
  • account password, security questions, or answers; or
  • biometric data.

Furthermore, in response to a consumer request, a controller is not required to reveal any trade secret (§4(1)(j) of the MCDPA).

Privacy notices

Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes the following information (§8(1)(a)(1) - (8) of the MCDPA):

  • the categories of personal data processed by a controller;
  • the purposes for which the categories of personal data are processed;
  • an explanation of consumer rights and how and where consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request;
  • the categories of personal data that the controller sells or shares with third parties, if any;
  • the categories of third parties, if any, with whom the controller sells or shares personal data;
  • the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller;
  • a description of the controller's retention policies for personal data; and
  • the date the privacy notice was last updated.

Where a controller sells personal data to third parties, processes personal data for targeted advertising, or engages in profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the controller must disclose the processing in the privacy notice and provide access to a clear and conspicuous method outside the privacy notice for a consumer to opt out of the sale, processing, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. This method may include but is not limited to an Internet hyperlink clearly labeled 'Your Opt-Out Rights' or 'Your Privacy Rights' that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request (§8(b) of the MCDPA).

Privacy notices must be made available to the public in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service (§8(1)(c) of the MCDPA). Additionally, controllers must provide privacy notices in a manner that is reasonably accessible to and usable by individuals with disabilities (§8(1)(d) of the MCDPA).

Privacy notices must be posted online through a conspicuous hyperlink using the word 'privacy' on the controller's website home page or on a mobile application's app store page or download page. Controllers that maintain an application on a mobile or other device must also include a hyperlink to the privacy notice in the application's settings menu or in a similarly conspicuous and accessible location. Controllers that do not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers (§8(1)(g) of the MCDPA).

Whenever a controller makes a material change to the controller's privacy notice or practices, the controller must take all reasonable electronic measures to notify consumers affected and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data (§8(1)(e) of the MCDPA).

Lastly, controllers are not required to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller's general privacy notice contains all the information listed in §8(1) of the MCDPA (§8(1)(f) of the MCDPA).

8.2. Right to access

Consumers have the right to access the categories of personal data the controller is processing (§6(1)(b) of the MCDPA).

8.3. Right to rectification

A consumer has the right to correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data. (§6(1)(c) of the MCDPA).

8.4. Right to erasure

A consumer has the right to delete personal data concerning the consumer (§6(1)(d) of the MCDPA). Delete means to remove or destroy information so that it is not maintained in human- or machine-readable form and cannot be retrieved or utilized in the ordinary course of business (§3(l) of the MCDPA).

In relation to information sourced from others than the consumer, a controller may comply with a consumer's request to delete the consumer's personal data, by either:

  • retaining a record of the deletion request, retaining the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records, and not using the retained data for any other purpose pursuant to the provisions of the MCDPA; or
  • opting the consumer out of the processing of personal data for any purpose except for the purposes exempted pursuant to the provisions of the MCDPA.

8.5. Right to object/opt-out

Consumers have the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer (§6(1)(f) of the MCDPA).

Universal opt-out mechanisms

Controllers must allow consumers to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale (§6(3)(a) of the MCDPA). The platform, technology, or mechanism must meet the following requirements (§6(3)(a)(1) - (5) of the MCDPA):

  • not unfairly disadvantage another controller;
  • not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt out of the processing of the consumer's personal data;
  • be consumer-friendly and easy to use by the average consumer;
  • be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
  • enable the controller to accurately determine whether the consumer is a Minnesota resident and whether the consumer has made a legitimate request to opt out of any sale of the consumer's personal data or targeted advertising. The use of an Internet protocol address to estimate the consumer's location is sufficient.

Additionally, a controller that recognizes opt-out preference signals that have been approved by other state laws or regulations is in compliance with §6(3) of the MCDPA (§6(3)(d) of the MCDPA).

Authorized representative

Consumers may designate another person as their authorized agent to exercise the consumer's right to opt out of the processing of personal data for purposes of targeted advertising and sale on the consumer's behalf (§6(2)(d) of the MCDPA). A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.

8.6. Right to data portability

Consumers have the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means (§6(1)(e) of the MCDPA).

8.7. Right not to be subject to automated decision-making

Profiling means any form of automated processing of personal data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements (§3(s) of the MCDPA).

Furthermore, the MCDPA specifies that if a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right (§6(1)(g) of the MCDPA):

  • to question the result of the profiling;
  • to be informed of the reason that the profiling resulted in the decision; and
  • if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.

The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data (§6(1)(g) of the MCDPA).

8.8. Other rights

Not applicable.

9. Penalties

In the event that a controller or processor violates the MCDPA, the AG, prior to filing an enforcement action, must provide the controller or processor with a warning letter identifying the specific provisions of the MCDPA the AG alleges have been or are being violated. If, after 30 days of issuance of the warning letter, the AG believes the controller or processor has failed to cure any alleged violation, the AG may bring an enforcement action. The right to cure expires on January 31, 2026 (§12(a) of the MCDPA).

The AG may bring a civil action against a controller or processor to enforce the MCDPA. If the state prevails in an action to enforce the MCDPA, the state may, in addition to an injunction and a civil penalty of no more than $7,500 for each violation or other remedies provided by the law, be allowed an amount determined by the court to be the reasonable value of all or part of the state's litigation expenses incurred (§12(b) - (c ) of the MCDPA)

Furthermore, the MCDPA foresees that the abovementioned penalties and AG enforcement procedures apply to small businesses if they act in violation of §9(a) of the MCDPA (§9(b) of the MCDPA).

Importantly, the MCDPA does not establish a private right of action for violations (§12(d) of the MCDPA).

9.1 Enforcement decisions

Not applicable.