Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Minnesota: The MCDPA - what you need to know

On May 24, 2024, Omnibus Senate Bill 4757, containing the Minnesota Consumer Data Privacy Act (MCDPA), was approved by the Governor of Minnesota after its passage in the Legislature on May 19, 2024, and will enter into effect on July 31, 2025. The MCDPA is a comprehensive data protection law that introduces obligations for both the data controllers and data processors and lays down consumer rights. OneTrust DataGuidance Research provides an outline of the MCDPA's provisions.

nuchao/iStock via Getty Images

Definitions

The MCDPA contains definitions for key terms including biometric data, consent, processing, dark pattern, de-identified data, genetic information, and personal data. Notably, the MCDPA defines various terms similar to the majority of the US state privacy laws.

A controller is defined as a person who, alone or jointly with others, determines the purpose and means of processing personal data, while a processor is a person who processes personal data on behalf of a controller.

Furthermore, a consumer is defined as a natural person who is a Minnesota resident acting only in an individual or household context and not in a commercial or employment context. In addition, personal data is defined as any information that is linked or reasonably linkable to an identified or identifiable natural person, excluding de-identified data or publicly available information. Consequently, the processing of personal data involves any set of operations that are performed on personal data, including by automated means. Some examples of such operations are the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.

Sensitive data is considered a form of personal data and is defined as:

  • personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  • the processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
  • the personal data of a known child; or
  • specific geolocation data.

Importantly, the MCDPA provides a definition for decisions that produce legal or similarly significant effects concerning the consumer, which includes decisions made by the controller that result in the provision or denial by the controller of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, healthcare services, or access to essential goods or services.

Scope

The MCDPA's scope is similar to Oregon and Connecticut's state privacy laws and applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota and that satisfy one or more of the following thresholds:

  • during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or  
  • derives over 25% of its gross revenue from the sale of personal data and processes or controls the personal data of 25,000 consumers or more.

Furthermore, the MCDPA applies to a controller or processor acting as a technology provider.

However, the MCDPA provides for certain exclusions where it does not apply to the following entities, activities, and types of information, among other things:

  • a government entity;
  • a federally recognized Indian tribe;
  • information that meets the definition of, among other things:
    • protected health information as defined in stated regulations, including under the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
    • health records;
    • patient identifying information;
    • identifiable private information for purposes of the federal policy for the protection of human subjects;
    • patient safety work product for purposes of defined regulations; or
    • information that is, among other things:
      • maintained by an entity that meets the definition of healthcare provider under the Code of Federal Regulations to the extent that the entity maintains the information in the manner required of covered entities with respect to protected health information;
      • included in a limited dataset to the extent that the information is used, disclosed, and maintained in a particular manner; or
      • maintained by, or maintained to comply with the rules or orders of, a self-regulatory organization;
  • information used only for public health activities and purposes;
  • an activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, by a furnisher of information, who provides information for use in a consumer report, and by a user of a consumer report; 
  • personal data collected, processed, sold, or disclosed in accordance with the Gramm-Leach-Bliley Act (GLBA) and Public Law 106-102;
  • a non-profit organization that is established to detect and prevent fraudulent acts in connection with insurance; and
  • a small business.

Finally, the MCDPA highlights that controllers that are in compliance with the Children's Online Privacy Protection Act, 1998 (COPPA) will be deemed to be in compliance with any obligation to obtain parental consent under the MCDPA.

Consumer rights

The MCDPA provides that, subject to certain exceptions, a controller must comply with a request to exercise the following consumer rights:

  • right to confirm processing of personal data concerning them and access the categories of personal data;
  • right to correct inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing;
  • right to delete personal data concerning them;
  • right to obtain personal data concerning them, which they previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
  • right to opt out of the processing of personal data concerning them for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning them or similarly significant effects concerning them;
  • in the case of the profiling of their personal data in furtherance of decisions that produce legal effects or similarly significant effects, the consumer has the right to:
    • question the result of the profiling;
    • be informed of the reason that the profiling resulted in the decision;
    • be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future;
    • review their personal data used in the profiling; and
    • have the data corrected and the profiling decision reevaluated if the decision is determined to have been based upon inaccurate personal data; and
  • right to obtain a list of the specific third parties to whom the controller has disclosed their personal data. If the controller does not maintain the information in a format specific to them, a list of specific third parties to whom the controller has disclosed any of their personal data may be provided instead.

Submission format

A controller is obliged to provide one or more secure and reliable means for consumers to submit a request to exercise their rights. A parent or legal guardian of a known child may exercise these rights on behalf of their child.

In addition, a controller may not require a consumer to create a new account in order to exercise a right, but it may require a consumer to use an existing account to exercise their rights.

Timeframe and appeal

The controller must comply and provide information on any actions taken on the request as soon as feasibly possible but no later than 45 days of receipt of the request. The period to inform may be extended once more by an additional 45 days where reasonably necessary, taking into account the complexity and number of the requests.

Regarding appeals, the controller must inform the consumer within 45 days of receipt of an appeal of any action taken or not taken in response to the appeal, along with a written explanation of the reasons in support thereof. That period may be extended by 60 additional days where necessary, but the consumer must be informed of the extension and the reasons for it within 45 days of receipt of the appeal.

The MCDPA mandates controllers to establish an internal process for consumers to appeal a refusal to take action on a request to exercise their right within a reasonable period of time. The process must be conspicuously available and easy to use.

Exemptions

The MCDPA emphasizes that information provided to consumers by the controller must be free of charge up to twice annually. Where requests from a consumer are manifestly unfounded or excessive, particularly because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request or refuse to act on the request. However, the controller bears the burden of proving the manifestly unfounded or excessive character of the request.

Furthermore, a controller is not required to comply with a request to exercise any of the consumer rights if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. However, a controller is not required to authenticate an opt-out request, but it may deny an opt-out request if it has a good faith, reasonable, and documented belief that the request is fraudulent. If so, the controller must notify the individual who made the request that the request was denied and state the basis for that belief.

Finally, a controller is exempt from providing information that reveals trade secrets.

Controller obligations

Privacy notice

Under the MCDPA, the controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:

  • the categories of personal data processed by the controller;
  • the purpose for processing personal data;
  • how consumers may exercise their consumer rights, including how a consumer may appeal a controller's action with regard to the consumer's request;
  • the categories of personal data that the controller sells or shares with third parties, if any;
  • the categories of third parties with which the controller shares personal data;
  • an active email address or other online mechanism that the consumer may use to contact the controller;
  • a description of the controller's retention policies for personal data;
  • the date the privacy notice was last updated; and
  • if a controller sells personal data to third parties or processes personal data for targeted advertising, the controller must disclose such processing, as well as the manner in which a consumer may exercise the right to opt out of such processing. This method may include but is not limited to a hyperlink clearly labeled 'Your Opt-Out Rights' or 'Your Privacy Rights' that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request.

In addition, the privacy notice must be available to the public in each language in which the controller provides a product or service and must also be reasonably accessible to individuals with disabilities. Notably, the MCDPA exempts the controller from providing a separate Minnesota-specific privacy notice if the general privacy notice contains all the information required.

Moreover, the privacy notice must be posted online through a conspicuous hyperlink on the controller's website home page or on a mobile application's app store page or download page. A controller that does not operate a website must make the privacy notice conspicuously available through a medium regularly used by the controller to interact with consumers, including mail.

Use of data

The MCDPA stipulates controllers' obligations in the use of personal data, such as:

  • limiting the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data is processed, as disclosed to the consumer;
  • not processing personal data for purposes that are neither reasonably necessary to, nor compatible with, the purposes for which such personal data is processed, as disclosed to the consumer unless the consumer's consent is obtained;
  • establishing, implementing, and maintaining reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data appropriate to the volume and nature of the personal data at issue;
  • not processing sensitive data concerning a consumer without obtaining consent, or, in the case of sensitive data concerning a known child, without first obtaining the child's parent or lawful guardian's consent;
  • providing an effective mechanism to revoke previously given consent that is at least as easy as the mechanism by which the consent was given. Upon revocation of such consent, controllers must cease to process the data as soon as practicable, but not later than 15 days after the receipt of such request;
  • not processing the personal data for the purposes of targeted advertising or selling personal data without consent where the controller knows that the consumer is between the ages 13 and 16 years; and
  • not retaining personal data that is no longer relevant and reasonable to the purposes for which it was collected and processed unless retention of the data is otherwise required by law.

De-identified and anonymized data

The MCDPA states that the controller or processor is not required to:

  • reidentify de-identified data;
  • maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or
  • comply with an authenticated consumer request to exercise their rights if all of the following are true:
    • the controller is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data;
    • the controller does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
    • the controller does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted by the MCDPA.

However, the above does not apply to pseudonymous data, where the controller is able to demonstrate that the information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.

Non-discrimination

The MCDPA prohibits controllers from discriminating against a consumer for exercising their consumer rights, including denying goods or services, charging different prices or rates for goods or services, or providing a different level of quality of goods or services to the consumer. Further, controllers are prohibited from processing personal data on the basis of a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, and gender, among other things.

Small businesses

The MCDPA stipulates that a small business that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota must not sell a consumer's sensitive data without the consumer's prior consent.

Documentation

A controller must document and maintain a description of the policies and procedures the controller has adopted to comply with the MCDPA. The controller must also conduct and document a data privacy and protection assessment for each of the following processing activities:  

  • processing for the purposes of targeted advertising;
  • the sale of personal data;
  • the processing of sensitive data;
  • any processing activities presenting a heightened risk of harm to consumers; and  
  • the processing of personal data for the purposes of profiling, where the profiling presents a reasonably foreseeable risk of:
    • unfair or deceptive treatment of or disparate impact on consumers;
    • financial, physical, or reputational injury to consumers;
    • a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or  
    • other substantial injury to consumers.

Processor obligations

The MCDPA obligates processors to adhere to the instructions of the controller and assist the controller in meeting their obligations. Taking into account the nature of processing, some of the responsibilities of the processor include:

  • assisting the controller in responding to consumer rights requests by taking appropriate technical and organizational measures, insofar as this is possible; and
  • assisting the controller in meeting their obligations and providing the information needed in relation to:
    • the security of processing the personal data;
    • the notification of a breach of the security of the system; and
    • conducting and documenting any required data privacy and protection assessments.

Further, the MCDPA provides that the relationship between the controller and processor must be governed by a binding contract, which must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. The contract must include provisions for a processor to:

  • ensure that each person processing personal data is subject to a duty of confidentiality;
  • engage a subcontractor after providing the controller with the opportunity to object and pursuant to a written contract requiring the subcontractor to meet the duties of the processor;
  • at the controller's direction, delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
  • upon the reasonable request of the controller, make available to the controller all information in the processor's possession necessary to demonstrate the processor's compliance with the obligations in the MCDPA; and
  • allow and cooperate with reasonable assessments by the controller or their designated assessor or alternatively, the processor may arrange for a qualified and independent assessor to conduct the assessment of its policies and technical and organizational measures, which must be reported to the controller upon request.

The MCDPA clarifies, in line with the majority of the US state privacy laws, that determining whether an entity is acting as a controller or processor is a fact-based determination that depends on the context of the processing. For instance, a processor that fails to limit processing or adhere to the controller's instructions becomes a controller or if a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor becomes a controller with respect to the processing.

Limitations

The MCDPA prescribes that the obligations imposed on controllers or processors do not restrict their ability to, among others:

  • comply with federal, state, or local laws, rules, or regulations;
  • comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • investigate, establish, exercise, prepare for, or defend legal claims;
  • provide a product or service specifically requested by a consumer;
  • perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty or taking steps at the request of the consumer prior to entering into a contract;
  • preserve the integrity or security of systems; and
  • investigate, report, or prosecute those responsible for any such illegal activity.

Additionally, the obligations do not restrict a controller's or processor's ability to collect, use, or retain data to:  

  • effectuate a product recall or identify and repair technical errors that impair functionality;
  • perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or
  • conduct internal research to develop, improve, or repair products, services, or technology.

Further to the above, the obligations do not apply where compliance by the controller or processor with the MCDPA would violate an evidentiary privilege under Minnesota law or as part of a privileged communication.

Additionally, a controller or processor would not be considered as violating the provisions of the MCDPA, where they disclose personal data to a third-party controller or processor in compliance with the requirements of the MCDPA, and the recipient processes the personal data in violation of the MCDPA, provided that, at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. Likewise, a third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the MCDPA is not in violation of the MCDPA for the obligations of the controller or processor from which it receives the personal data.

It is imperative that the controllers' and processors' obligations do not adversely affect the rights or freedoms of any persons and do not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

Enforcement

The Minnesota Attorney General (AG) has the exclusive authority to enforce the provisions of the MCDPA. In the event that a controller or processor is found in violation of the MCDPA, the AG must provide the controller or processor with a warning letter identifying the specific violated provisions, and if, after 30 days, the AG believes the alleged violation is not cured, it may file an enforcement action. The cure-period provision expires on January 31, 2026.

The AG is empowered to bring a civil action against a defaulting controller or processor. Furthermore, any controller or processor violating the MCDPA may be subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation.

Importantly, the MCDPA does not provide for a private right of action.

Maryam Abass Privacy Analyst
[email protected]