I. Introduction
In today’s data-driven world, data privacy has become a paramount concern for consumers and businesses alike.
In line with an increasing trend of states throughout the US enacting data privacy laws, the Minnesota Consumer Data Privacy Act (MCDPA) was signed into law by Governor Tim Walz on May 24, 2024. The MCDPA aims to empower Minnesotans with greater control over their personal data. It imposes stringent obligations on businesses regarding the collection, processing, and sharing of consumer data and reflects Minnesota's commitment to upholding the privacy rights of its citizens in today’s digital age.
The MCDPA takes effect on July 31, 2025, with the exception that postsecondary institutions under the Office of Higher Education's regulation are exempt from this Act's requirements until July 31, 2029.
II. Who Needs to Comply with MCDPA
A. Material Scope
This MCDPA applies to legal entities that conduct business in Minnesota, produce goods or services intended for Minnesotans, and, in any given calendar year, control or process the personal data of 100,000 or more customers or derive over 25% of their gross revenue from the sale of personal data while processing or controlling the personal data of 25,000 or more consumers.
B. Exemptions
The MCDPA does not apply to the following types of information:
- protected health information under the Health Insurance Portability and Accountability Act (HIPAA);
- health records;
- patient identifying information;
- identifiable private information;
- information and documents created for purposes of the federal Health Care Quality Improvement Act;
- patient safety work product for purposes of the Code of Federal Regulations;
- information used only for public health activities and purposes;
- information regulated under the Fair Credit Reporting Act (FCRA);
- personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act;
- personal data collected, processed, sold, or disclosed pursuant to the federal Driver’s Privacy Protection Act;
- personal data regulated by the federal Family Educational Rights and Privacy Act (FERPA);
- personal data collected, processed, sold, or disclosed pursuant to the federal Farm Credit Act (FCA);
- employment-related data;
- personal data collected, processed, sold, or disclosed pursuant to the Minnesota Insurance Fair Information Reporting Act; or
- data collected, processed, sold, or disclosed as part of a payment-only credit, check, or cash transaction where no data about consumers.
The MDPA does not apply to the following entities:
- a government entity;
- a federally recognized Indian tribe;
- a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities;
- an insurance company principally engaged in financial activities, as described in United States Code, title 12, section 1843(k);
- a small business, as defined by the United States Small Business Administration under the Code of Federal Regulations, title 13, part 121;
- a non-profit organization which is established to detect and prevent fraudulent acts in connection with insurance; or
- an air carrier subject to the federal Airline Deregulation Act.
III. Definitions of Key Terms
A. Biometric Data
Data generated by automatic measurements of an individual's biological characteristics, including a fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that are used to identify a specific individual.
Biometric data does not include:
- a digital or physical photograph;
- an audio or video recording; or
- any data generated from a digital or physical photograph, or an audio or video recording, unless the data is generated to identify a specific person.
B. Consent
Any freely given, specific, informed, and unambiguous indication of the consumer's wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer for a narrowly defined particular purpose.
Acceptance of general or broad terms of use or similar documents that contain descriptions of personal data processing along with other unrelated information does not constitute consent. Hovering over, muting, pausing, or closing a given piece of content does not constitute consent. Consent is not valid when the consumer’s indication has been obtained by a dark pattern. A consumer may revoke previously given consent.
C. Personal Data
Any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include de-identified data or publicly available information.
D. Sensitive Data
A form of personal data, including personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status; the processing of biometric data or genetic information; the personal data of a known child; or specific geolocation data.
IV. Obligations for Organizations Under MCDPA
A. Consent Requirements
A controller must not process sensitive consumer data without the consent of the consumer or, in the case of processing personal data about a known child, without the consent of the child's parent or legal guardian, as required by the Children's Online Privacy Protection Act (COPPA).
Controllers must ensure that they provide consumers, or in the case of the processing of personal data concerning a known child, the child’s parent or lawful guardian, with an efficient system to withdraw their consent that shall be at least as easy as the mechanism by which the consent was previously provided. In the event that a consumer chooses to opt-out, the controller must cease using their personal data as soon as is reasonably possible, but no later than 15 days after the request is received.
In cases where a consumer is a known child between the ages of 13 and 16, a controller must not process their personal data for the purpose of targeted advertising or sell their personal data without the consumer's consent.
Moreover, a small business that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota must not sell a consumer's sensitive data without the consumer's prior consent.
B. Data Minimization and Purpose Limitation Requirements
A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed. This information must be disclosed to the consumer. Additionally, controllers are required to maintain a data inventory.
C. Nondiscrimination Requirements
A controller may not process personal data in a way that unlawfully discriminates against a consumer or class of consumers in relation to the offering or provision of housing, employment, credit, education, or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation. This includes processing data based on actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability.
Controllers must not discriminate against consumers unfairly if they exercise any of the consumer rights, such as refusing them goods or services, charging them a different price or rate, or offering them goods and services of a lower caliber.
D. Privacy Notice Requirements
Controllers must provide consumers with a reasonably accessible, clear, and meaningful privacy notice that includes:
- the categories of personal data the controller processes;
- the intended purposes for which the categories of personal data are processed;
- a description of the rights included, including where and how to exercise them, as well as the means of appealing a controller's decision about a request from a consumer;
- the categories of personal data that the controller sells to or shares with third parties, if any;
- the categories of third parties, if any, with whom the controller sells or shares personal data;
- the controller's contact details, such as an operational email address or another online method the consumer may use to get in touch with the controller;
- a description of the controller’s retention policies for personal data;
- when the privacy notice was last updated.
A controller must disclose any processing of personal data in the privacy notice and give a consumer clear and noticeable access outside the notice to opt out of the sale, processing, or profiling.
This method might include but is not limited to, providing consumers with an internet hyperlink prominently labeled "Your Opt-Out Rights" or "Your Privacy Rights" that either immediately implements the opt-out request or directs them to a website where they can make the request.
The controller must provide the privacy notice to the public in each language in which it offers a service or product that is subject to the privacy notice or carries out activities related to the product or service. The privacy notice must also be sufficiently usable and accessible to people with disabilities.
A controller must give notice to all affected consumers regarding any prospectively collected personal data before making a material change to its privacy notice or practices. Additionally, the controller must give affected consumers a reasonable chance to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the revised policy. The controller shall take all reasonable electronic measures to provide information regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.
A prominent hyperlink including the term "privacy" on the controller's website home page or the download or app store page for a mobile application must lead to the privacy notice. A hyperlink to the privacy notice must be included in the settings menu of any application that a controller maintains on a mobile device or other device. If a controller does not have a website, they must prominently display the privacy notice to customers via one of the many channels they frequently use to communicate with them, such as mail.
E. Security Requirements
Controllers are required to establish, implement, and maintain reasonable administrative, technological, and physical data security protocols to safeguard the privacy, integrity, and accessibility of personal data. Data security procedures must be appropriate for the volume and kind of personal data being processed by the controller.
F. Create and Maintain Data Processing Records
A controller must document and maintain a description of the policies and procedures in order to comply with the MCDPA. Such a description must include, where applicable:
- the name and contact details of the controller's chief privacy officer or another person principally in charge of overseeing the implementation of the policies and procedures;
- a description of the controller's data privacy policies and procedures designed to comply with the requirements of MCDPA and to:
- reflect the requirements of MCDPA in the design of the controller’s systems;
- identify and provide personal data to a consumer as required by MCDPA;
- establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data;
- limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data is processed;
- prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed unless retention of data is otherwise required by law; and
- to identify and remediate the violations of the MCDPA.
G. Universal Opt-Out Mechanism Requirements
With the consent of the consumer, a platform, technology, or other mechanism must send an opt-out preference signal to the controller indicating the consumer's desire to opt out of any processing of their personal data for the purposes of targeted advertising, as well as any sales of that personal data. The platform, technology, or mechanism must:
- not unfairly disadvantage another controller;
- not make use of a default setting, but require the consumer to make an affirmative, freely given, and unambiguous choice to opt-out of the processing of the consumer’s personal data;
- should be user-friendly and accessible to the average consumer;
- be as consistent as possible with any other similar platform, technology, or mechanism required by any federal or state law or regulation; and
- enable the controller to determine if the consumer is a Minnesota resident and whether the consumer has legitimately requested to opt out of any sale of their personal data or targeted advertising.
H. Data Protection Assessment
The MCDPA also requires controllers to conduct and document data protection assessments for activities that present a heightened risk of harm. These activities may include the processing of personal data for targeted advertising, sale of personal data, processing of sensitive data, any processing activities involving personal data that present a heightened risk of harm to consumers, and processing for the purpose of profiling where the activity may present a reasonably foreseeable risk of:
- unfair or deceptive treatment of, or disparate impact on, consumers;
- financial, physical, or reputational injury to consumers;
- a physical or other intrusion upon the solitude or seclusion, of the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
- other substantial injury to consumers.
A data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.
Data protection assessments shall identify and weigh the benefits that may flow, directly and indirectly, from the processing to the controller, the consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with such processing, as mitigated by safeguards that can be employed by the controller to reduce such risks. The use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.
The attorney general may require that a controller disclose any data protection assessment that is relevant to an investigation conducted by the attorney general, and the controller shall make the data protection assessment available to the attorney general. The attorney general may evaluate the data protection assessment for compliance with the responsibilities set forth in the law. Data protection assessments shall be confidential and shall be exempt from disclosure.
V. Data Processor Obligations
Processors must comply with the controller's instructions and assist the controller in meeting its responsibilities under the MCDPA, including:
- considering the nature of the processing, the processor will, to the extent that it is possible, assist the controller in carrying out its duty to respond to consumer requests by providing the necessary organizational and technical support;
- considering the type of processing and the data at hand, the processor will assist the controller in fulfilling its responsibilities regarding the security of processing personal data and notifying third parties about system security breaches; and
- the processor will provide the controller with the data required to conduct and record any mandatory data privacy and protection assessments.
Regardless of the controller's instructions, a processor must:
- ensure that each individual handling personal data is bound by a duty of data secrecy;
- only engage a subcontractor in accordance with a documented contract that binds the subcontractor to the processor's responsibilities for the personal data and only after giving the controller a chance to object;
- adopt suitable organizational and technological safeguards to ensure a security level commensurate with the risk, and clearly delineate the controller's and processor's respective roles in putting these safeguards in place;
- processing by a processor is subject to a contract between the controller and the processor, which details the processing guidelines to which the processor is bound. These guidelines include the type and purpose of the processing, the obligations and rights of both parties, the length of the processing, and the nature and purpose of the processing of personal data.
The contract shall include the following requirements:
- After services are rendered, the processor will, at the controller's discretion, either delete or return all personal data to the controller unless the controller is compelled by law to retain the personal data; and
- The controller shall have access to all information required to demonstrate compliance with the responsibilities.
VI. Data Subject Rights
A. Right to Confirm
A consumer has the right to confirm whether or not a controller is processing personal data concerning the consumer.
B. Right to Access
A consumer has the right to access the categories of personal data the controller is processing.
C. Right to Correct Inaccuracies
A consumer has the right to correct inaccurate personal data concerning the consumer.
D. Right to Delete
A consumer has the right to delete personal data concerning the consumer.
E. Right to Obtain
A consumer has the right to obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
F. Right to Opt-Out
A consumer has the right to opt out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
G. Right to Question the Result of Profiling
If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. The consumer has the right to review the consumer's personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
H. Right to Obtain List of Third Parties
A consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers' personal data may be provided instead.
VII. Consumer Requests
A consumer may exercise the rights set forth in the MCDPA by submitting a request to a controller at any time specifying which rights the consumer wishes to exercise.
When processing a known child's personal data, the parent or legal guardian of the known child may exercise the rights on the child's behalf. When processing the personal data of a consumer who is lawfully under conservatorship or guardianship, the conservator or guardian of the consumer may exercise the rights on the customer's behalf.
A consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale on the consumer's behalf. A consumer may designate an authorized agent by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing. A controller shall comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.
Consumers must be given secure and reliable means to submit a request to exercise their rights, and a controller may not require a consumer to open a new account; rather, a controller may require a consumer to utilize an existing account.
Response Period of Consumer Requests
Upon receipt of the consumer request, a controller is required to respond promptly to the customer, ideally within 45 days. When it is deemed reasonably necessary, taking into account the complexity and volume of the consumer's requests, the response period may be extended once by an additional 45 days. However, the controller must notify the consumer of the extension within the first 45-day response period, along with the reason for the extension.
If a controller does not take action on a consumer's request, the controller must inform the consumer without undue delay and, at the latest, within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision with the controller as described in the MCDPA.
The controller may refuse to act upon a consumer request or impose a reasonable price to offset the administrative expenses of complying with the request if it is clearly excessive, repeated, or manifestly unfounded. The controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
A controller is not required to comply with a request to exercise consumer rights if the controller is unable to authenticate the request using commercially reasonable efforts. In such cases, the controller may request the provision of additional information reasonably necessary to authenticate the request. A controller is not required to authenticate an opt-out request, but a controller may deny an opt-out request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If a controller denies an opt-out request because the controller believes a request is fraudulent, the controller must notify the person who made the request that the request was denied due to the controller's belief that the request was fraudulent and state the controller's basis for that belief.
Appeal Process
Every controller must set up an appeals procedure that enables a consumer to challenge a controller's decision not to act on a request within a reasonable period of time after the consumer receives the decision. The appeals procedure must be conspicuously available and must include the ease of use provisions applicable to the submission of consumer requests under the MCDPA.
A controller must notify the consumer of any action taken or not taken in response to an appeal within forty-five (45) days of receiving it and should provide a written and documented justification for such action. If it is deemed reasonably required, an additional sixty days (60) may be added to that time frame, with consideration given to the volume and complexity of the petitions that form the basis of the appeal. Within forty-five (45) days of receiving the appeal, the controller is required to notify the consumer of any such extension and provide an explanation and reasons for the delay.
Additionally, the controller shall provide the consumer with an electronic mail address or other online method by which the consumer may submit the appeal to the Attorney General, together with any action taken or not taken by the controller in response to the appeal and the controller's written justification for the appeal.
When informing a consumer of any action taken or not taken in response to an appeal, the controller must provide a written explanation of the reasons for the controller's decision and clearly and prominently provide the consumer with information about how to file a complaint with the Office of the Attorney General. The controller must maintain records of all appeals and the controller's responses for at least 24 months and shall, upon written request by the attorney general as part of an investigation, compile and provide a copy of the records to the attorney general.
VIII. Regulatory Authority
The Attorney General is the primary body responsible for enforcing the Minnesota Consumer Data Privacy Act (MCDPA).
IX. Penalties for Non-Compliance
Before initiating an enforcement action, the Attorney General must send a warning letter to the controller or processor if they violate the MCDPA. This letter should specify the specific provisions that the Attorney General claims have been violated or are being violated.
The Attorney General may file an enforcement action if, after the 30-day warning period, the Attorney General determines that the controller or processor has failed to cure any alleged violation, the Attorney General will bring an enforcement action. The right to cure expires on January 31, 2026 (§12(a) of the MCDPA).
Any controller or processor found to be in violation of the MCDPA might face up to $7,500 in civil penalties and an injunction.
X. How an Organization Can Operationalize the MCDPA
Organizations can operationalize the Minnesota Consumer Data Privacy Act (MCDPA) by:
- Establishing clearly defined policies and procedures for processing data in compliance with MCDPA’s provisions;
- Developing clear and accessible understandable privacy notices that comply with MCDPA’s requirements;
- Obtaining explicit consent from users before processing their personal data;
- Developing a robust framework for receiving and processing data requests, complaints, and appeals from consumers; and
- Train employees who handle the consumers’ data on the organization's policies and procedures and the MCDPA's requirements.
XI. How Securiti Can Help
Securiti’s Data Command Center enables organizations to comply with the Minnesota Consumer Data Privacy Act (MCDPA), securing the organization’s data, enabling organizations to maximize data value, and fulfilling an organization’s obligations around data security, data privacy, data governance, and compliance.
Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.
Request a demo to learn more.