Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Minnesota: Overview of the MCDPA and its effects on organizations
On May 24, 2024, Minnesota adopted the Minnesota Consumer Data Privacy Act (MCDPA), becoming the 19th state to adopt a comprehensive state privacy law. The MCDPA will go into effect on July 31, 2025, giving businesses more than 12 months to come into compliance with its requirements.
Minnesota is following the lead of many other US states in adopting the MCDPA, taking aspects of a variety of different state privacy laws already in effect. This should provide welcome news to businesses that are already facing an increasingly complex privacy regulatory environment, with new state privacy laws adopted on an almost monthly basis. However, as is relevant for each of the state privacy laws, it is important to recognize the nuances of each law and understand how the particular law applies to your business operations. In this Insight article, Jordan L. Fischer, of Fischer Law, LLC, provides an overview of the key Minnesota law requirements.
Which companies need to comply with the MCDPA?
The MCDPA applies to businesses that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and either:
- during a calendar year, control or process personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- derive over 25% of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more.
While the MCDPA maintains common exemptions for certain types of businesses (i.e., healthcare providers, government entities, and non-profits), it also contains a carve-out for small businesses, as defined by the United States Small Business Administration. Both Texas and Nebraska's privacy laws maintain a similar small business exemption.
Additionally, the MCDPA provides numerous carve-outs for certain types of information that are collected and processed by businesses. For example, the MCDPA does not apply to job applicant and employee data, protected health information under the Health Insurance Portability and Accountability Act (HIPAA), or data covered by the Gramm-Leach-Bliley Act (GLBA).
What are the obligations for businesses subject to the MCDPA?
The MCDPA uses the terms 'controller' and 'processor,' originally used under the EU's General Data Protection Regulation (GDPR), to define the key roles under the MCDPA. Controllers and processors are required to enter into contracts that govern the processing of all personal information. Specifically, these contracts must 'set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties.'
Interestingly, the MCDPA appears to track the guidance under the GDPR in determining whether a business is a controller or processor. The MCDPA expressly states that it is a 'fact-based determination' whether a business is acting as a controller or processor, and lays out the following guidance: 'A person that is not limited in the person's processing of personal data pursuant to a controller's instructions, or that fails to adhere to a controller's instructions, is a controller and not a processor with respect to a specific processing of data. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor. If a processor begins, alone or jointly with others, determining the purposes and means of the processing of personal data, the processor is a controller with respect to the processing.'
As such, it is important that the data processing agreements are clear in the expectations of the processor, and that the processor does not deviate from those instructions. Any deviation could convert a processor to a controller under the MCDPA.
Additionally, controllers are required, aligned with other state privacy laws, to provide a privacy notice that is 'reasonably accessible, clear, and meaningful,' and includes:
- the categories of personal data processed by the controller;
- the purposes for which the categories of personal data are processed;
- an explanation of consumer data rights and how consumers may exercise those rights, including how a consumer may appeal a controller's action with regard to the consumer's request;
- the categories of personal data that the controller sells to or shares with third parties, if any;
- the categories of third parties, if any, with whom the controller sells or shares personal data;
- the controller's contact information, including an active email address or other online mechanism that the consumer may use to contact the controller;
- a description of the controller's retention policies for personal data; and
- the date the privacy notice was last updated.
The MCDPA requires that the privacy notice be provided in 'each language in which the controller provides a product or service that is subject to the privacy notice.' Whenever a 'material change' is made to the privacy notice, the controller must notify consumers affected by the material change and provide the ability to withdraw consent to the prospective processing of personal data under this new change. Picking up on a recent trend under other state privacy laws, the MCDPA expressly allows for a non-Minnesota specific privacy notice, so long as it satisfies the requirements of the MCDPA. This allows businesses to create more generalized privacy notices that align with all the various US state privacy laws, instead of managing multiple different privacy notices - a welcomed approach for businesses.
Businesses are also required to 'document and maintain a description of the policies and procedures the controller has adopted to comply with' the MCDPA. This documentation should include:
- the identification of an individual responsible for overseeing compliance with the MCDPA;
- policies and procedures that address data limitation principles, data retention requirements, and reasonable security measures, among other topics; and
- Data Privacy and Protection Assessments.
What data rights exist under the MCDPA?
Minnesota consumers maintain a number of different rights under the MCDPA, including the right to:
- confirm whether or not a controller is processing personal data concerning the consumer;
- access the categories of personal data the controller is processing;
- correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;
- delete personal data concerning the consumer;
- obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
- opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer;
- question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. Further, the consumer has the right to review the consumer's personal data used in the profiling, and the right to have the data corrected and the profiling decision reevaluated based upon the corrected data; and
- obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.
Controllers must provide at least two methods for consumers to submit requests and are required to respond to requests within 45 days. However, the MCDPA makes clear that controllers are not required to respond to requests if they are 'unable to authenticate the request using commercially reasonable efforts.' The MCDPA provides that controllers must comply with these data requests free of charge up to two times per year.
How does the MCDPA handle opt-out requests?
The concept of opt-out requests where a consumer can opt out of the sale or sharing of personal data is becoming a mainstay of US state privacy laws, and Minnesota is no exception. The MCDPA provides for a 'universal opt-out mechanism' where controllers 'must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising, or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.'
The MCDPA does expressly recognize that there could be conflicts between a user's opt-out preference and previously provided settings or information. In this instance, the MCDPA expressly allows controllers to inform users of this conflict and 'provide the consumer a choice to confirm the controller-specific privacy setting or participation in the controller's program.' Minnesota also expressly allows controllers to leverage opt-out mechanisms that have been approved by other state laws or regulations.
How is the MCDPA enforced?
Enforcement of the MCDPA is vested in the Minnesota Attorney General (AG) and there is no private right of action. Until January 31, 2026, businesses will have a 30-day cure period, meaning that once notified by the AG, businesses have 30 days to address the concerns. Businesses can be liable under the MCDPA for 'not more than $7,500 for each violation.'
Preparing for the MCDPA
Minnesota's privacy law builds on many of the same themes and requirements of other US state privacy laws. This should allow businesses to create efficient compliance programs to address the requirements of the MCDPA. Impacted businesses should review their existing privacy compliance to identify where they are already in compliance with the MCDPA and take the next year to address any outstanding gaps. Focusing on outward-facing privacy notices and building out robust documentation will provide a solid foundation to prepare for the coming enforcement of the MCDPA.
Jordan L. Fischer Founding Partner
[email protected]
Fischer Law, LLC, Philadelphia