In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers to request information about the decision-making process, why the decision was made, how consumers might have changed their behavior (or might change their behavior in the future) to obtain a different result, and the right to request a reevaluation. These new consumer rights are unique to the MCDPA.

In Part Two, we discuss other obligations and mandates imposed by the MCDPA. To foreshadow, these other obligations and mandates are similar to those found in similar statutes that have been enacted in other States with a couple of more unique features. These other non-consumer-facing obligations and mandates include:

• Limitation on data collection, processing, and storage — like similar statutes, the MCDPA mandates a limit on data collection, processin,g and storage of data that is “adequate, relevant and reasonably necessary to effectuate the purposes” for which the data is collected and processed; businesses are mandated to delete data that is not essential for various purposes
• Consent must be obtained for collecting and processing “sensitive data” like data on race, sexual orientation, health matters, racial background, biometric data, etc.
• Protection of data related to minors — all personal data about minors and teenagers is deemed to be “sensitive data” and cannot be processed for the purpose of targeted advertising; for other collection and processing, consent must be obtained in advance from parents or lawful guardians
• Changes in privacy policies require new disclosures and opt-outs — the MCDPA is among the first consumer data privacy statutes to require that new disclosures be sent to impacted consumers when a business makes material changes in its privacy policies; consumers must receive new disclosure statements and be given an opt-out option
• Cybersecurity — like most statutes of this kind, the MCDPA requires state-of-the-art cybersecurity; the MCDPA goes a bit further and specifically mandates data mapping and preparation of statements detailing descriptions of the adopted cybersecurity protocols
• Data impact assessments — like recent similar statutes, businesses are required to prepare data impact assessment reports, in advance, for certain activities, like targeted advertising, and for ANY processing that might present a “heightened risk of harm”
• Agreements with data processors — as with most similar statutes, controllers must have agreements with data processors (and others) that comply with the MCDPA and commit the processors to comply with the MCDP
• Providing specific information on data sharing — when consumers request to know the identities of third parties with whom a controller shares a consumer’s data, the MCDPA mandates that the controller provide the specific identity of such third parties (where possible)

One other thing to note: with respect to discrimination, the MCDPA explicitly provides that any discrimination — on the basis of many categories — will also be deemed discrimination under Minnesota’s anti-discrimination laws. This will significantly increase penalties for violation of the MCDPA which will be enforced by the Minnesota Attorney General by civil penalties of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.