In May 2024, Minnesota was the 19th State to enact a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). For most “covered entities,” the MCDPA will become effective at the end of July 2025. In this article, the Consumer Data Protection Attorneys at Revision Legal offer a brief list of some of the uncommon and unique features of the MCDPA,

These State-level consumer data privacy and protection statutes are very similar. They all apply a notice-disclosure-consent framework for the collection, processing, and sale of consumer data, along with various mandates and imposed obligations on data controllers and processors. However, each statute has some unique features. With respect to the MCDPA, some of the unique features include:

• “Covered entities” include non-profit organizations — most of these statutes exempt non-profit entities
• Starting in 2029, “covered entities” will also include “technology providers” for “postsecondary institutions regulated by the [MN] Office of Higher Education…” — this is unique to the MCDPA
• Data that is publicly available is explicitly exempt from coverage — the explicit exemption is rare
• “Covered entities” does not include “small businesses” as defined by the U.S. Small Business Administration — only two other States have this provision; however, even small businesses must still  obtain consumer consent before selling “sensitive data”
• Controllers are expressly prohibited from processing the “personal data” of a “known child” for purposes of targeted advertising without parental consent — this is rare but becoming more common
• When a consumer asks for information about any third parties with which a controller has disclosed that specific consumer’s personal data, the MCDPA requires disclosure of the specific third parties with which the data has been or is shared — only Oregon’s statute shares this requirement of specificity
• When a consumer asks to know what data has been collected/processed with respect to them, controllers are prohibited from disclosing the actual sensitive information — like Social Security numbers; controllers must simply inform the consumer that it has collected that particular sensitive data — this is unique to the MCDPA
• Controllers must honor any universal mechanism, device, or setting for a consumer’s opt-out choices — this was rarely included in this statute a couple of years ago but is becoming a standard provision
• Controllers must allow consumers to opt out of automated decision-making involving profiling — only two States mandate this
• Further, controllers must allow consumers the right to question the result of any automated decision-making process involving profiling, to be told why the decision was made, and be told what behavior the consumer might take to avoid a similar decision in the future — this is unique to the MCDPA
• Consumers have the right to have any automatic decision-making involving profiling reevaluated if and when a consumer accesses and corrects their personal data — this is unique
• When a controller makes “material changes” to their privacy practices, consumers affected thereby must receive an updated disclosure notice, AND consumers must be offered the opportunity to withdraw any previously given consent — this is unique
• A controller’s privacy notice must include a description of policies and procedures implemented to comply with the MCDPA, including such matters as the name and contact information of the person with primary responsibility for such policies, procedures, and implementation — this is unique
• The privacy notice must also include a description of data retention policies and the date the notice was last updated — this is rare
• The MCDPA requires controllers to maintain a “data inventory” as part of their cybersecurity protocols (also known as “data mapping”) — this is unique

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.