Press "Enter" to skip to content

Minnesota Becomes 18th State to Enact Comprehensive Consumer Data Privacy Law

Minnesota Consumer Data Privacy Act

Minnesota Gov. Tim Walz recently signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the 18th state to enact a comprehensive consumer data privacy law. The Act will go into effect July 31, 2025.

There were a number of consumer data privacy bills in play during the state’s legislative session that never made it to the finish line. Ultimately, the Act hitched a ride in a bill related to appropriations, cannabis policy, and commerce policy.

Minnesota joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, ConnecticutIowa, Indiana, Tennessee, Montana, Texas, OregonDelaware,  New Jersey, New HampshireKentucky, Nebraska, and Maryland.

APPLICABILITY

The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
EXEMPTIONS

Exemptions include, but are not limited to:

  1. Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;
  2. Protected health information under the Health Insurance Portability and Accountability Act of 1996;
  3. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
  4. Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.
CONSUMER RIGHTS

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data;
  2. Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;
  3. Delete personal data concerning the consumer;
  4. Obtain a portable copy of their personal data to the extent technically feasible, in a readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
  5. Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer;
  6. Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;
  7. Obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data.
SENSITIVE DATA

A controller may not process sensitive data concerning a consumer without obtaining the consumer’s consent.

“Sensitive data” is:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
  3. The personal data of a known child; or
  4. Specific geolocation data.
CONTRACT REQUIREMENTS

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality;
  2. Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
  3. Establish, implement, and maintain reasonable data security practices;
  4. Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;
  5. Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;
  6. Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller’s designated assessor.
DATA PROTECTION ASSESSMENTS

A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of sensitive data;
  4. Any processing activities involving personal data that present a heightened risk of harm to consumers; and
  5. The processing of personal data for purposes of certain profiling.
ENFORCEMENT

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires Jan. 31, 2026.

IMPRESSION

While similar in many respects to some of the post-California comprehensive data privacy laws, the Act ventures farther in some respects, including providing consumers the right to question the results of profiling and to obtain a list of the specific third parties with whom the controller disclosed their personal data. For those aligning compliance with this act with other state laws, careful attention is warranted given the originality of some of the provisions. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Jill Clardy/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.