In May 2024, Minnesota enacted the Minnesota Consumer Data Privacy Act (“MCDPA”). In Part One of this two-part article, the Consumer Data Protection Attorneys at Revision Legal discussed the consumer rights and consumer-facing business obligations imposed by the MCDPA, including additional consumer rights related to automated decisions that utilize profiling data. The MCDPA allows consumers to request information about the decision-making process, why the decision was made, how consumers might have changed their behavior (or might change their behavior in the future) to obtain a different result, and the right to request a reevaluation. These new consumer rights are unique to the MCDPA.

In Part Two, we discuss other obligations and mandates imposed by the MCDPA. To foreshadow, these other obligations and mandates are similar to those found in similar statutes that have been enacted in other States with a couple of more unique features. These other non-consumer-facing obligations and mandates include:

• Limitation on data collection, processing, and storage — like similar statutes, the MCDPA mandates a limit on data collection, processin,g and storage of data that is “adequate, relevant and reasonably necessary to effectuate the purposes” for which the data is collected and processed; businesses are mandated to delete data that is not essential for various purposes
• Consent must be obtained for collecting and processing “sensitive data” like data on race, sexual orientation, health matters, racial background, biometric data, etc.
• Protection of data related to minors — all personal data about minors and teenagers is deemed to be “sensitive data” and cannot be processed for the purpose of targeted advertising; for other collection and processing, consent must be obtained in advance from parents or lawful guardians
• Changes in privacy policies require new disclosures and opt-outs — the MCDPA is among the first consumer data privacy statutes to require that new disclosures be sent to impacted consumers when a business makes material changes in its privacy policies; consumers must receive new disclosure statements and be given an opt-out option
• Cybersecurity — like most statutes of this kind, the MCDPA requires state-of-the-art cybersecurity; the MCDPA goes a bit further and specifically mandates data mapping and preparation of statements detailing descriptions of the adopted cybersecurity protocols
• Data impact assessments — like recent similar statutes, businesses are required to prepare data impact assessment reports, in advance, for certain activities, like targeted advertising, and for ANY processing that might present a “heightened risk of harm”
• Agreements with data processors — as with most similar statutes, controllers must have agreements with data processors (and others) that comply with the MCDPA and commit the processors to comply with the MCDP
• Providing specific information on data sharing — when consumers request to know the identities of third parties with whom a controller shares a consumer’s data, the MCDPA mandates that the controller provide the specific identity of such third parties (where possible)

One other thing to note: with respect to discrimination, the MCDPA explicitly provides that any discrimination — on the basis of many categories — will also be deemed discrimination under Minnesota’s anti-discrimination laws. This will significantly increase penalties for violation of the MCDPA which will be enforced by the Minnesota Attorney General by civil penalties of up to $7,500 per violation.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Data Processing Agreements and Vendor Contracts

One of the more operationally demanding requirements imposed by the MCDPA — and one that is common across state privacy statutes — is the requirement that data controllers execute written data processing agreements (DPAs) with all “processors” who handle consumer personal data on the controller’s behalf. Under the MCDPA, these agreements must include specific provisions: instructions for processing, the nature and purpose of the processing, the type of data involved, the duration of the processing, and the rights and obligations of both parties.

For most businesses, this means auditing all existing vendor and SaaS agreements to determine which vendors qualify as “processors” under the MCDPA and then either amending existing agreements or entering into standalone DPAs with those vendors. The list of vendors requiring DPAs is often longer than businesses initially expect: it can include cloud storage providers, email marketing platforms, CRM systems, analytics tools, payment processors, and HR platforms — any vendor that handles Minnesota consumer personal data on the controller’s behalf.

Automated Decision-Making: The MCDPA’s Distinctive Consumer Rights

As noted in Part One of this series, the MCDPA’s provisions on automated decision-making are among its most distinctive features. The MCDPA gives consumers the right to opt out of automated decision-making that profiles them and produces legal or similarly significant effects — including decisions about creditworthiness, insurance, housing, employment, education, and health care.

In addition, where a controller has made an automated decision affecting a consumer, the consumer has the right to:

• Obtain an explanation of the decision and the factors that led to it
• Understand how the consumer might have obtained a different outcome
• Request that a human review the decision

These rights require businesses that use algorithmic decision-making tools — credit scoring models, automated hiring screening systems, insurance pricing algorithms — to build processes for responding to consumer requests. The MCDPA does not specify a particular technical approach, but it does require that the response be meaningful: a form letter that says “a human reviewed your request” without any substantive engagement with the consumer’s specific situation would not satisfy the statute.

Cybersecurity Requirements: Data Mapping and Protocol Documentation

The MCDPA’s cybersecurity requirements go beyond the general “reasonable security measures” standard found in many state privacy statutes. Specifically, the MCDPA requires that controllers:

• Implement and maintain reasonable administrative, technical, and physical data security practices appropriate to the volume and sensitivity of the personal data processed
• Conduct data mapping — creating and maintaining records that document what personal data is collected, where it is stored, how it flows through the organization, with whom it is shared, and how long it is retained
• Prepare written descriptions of the cybersecurity protocols adopted by the organization

The data mapping requirement, in particular, is an ongoing compliance obligation — not a one-time exercise. As a business’s data collection practices, technology stack, and vendor relationships change, the data map must be updated. Controllers should establish processes for maintaining current data inventory documentation as part of their standard compliance program.

Data Impact Assessments: When They Are Required and What They Must Cover

The MCDPA requires that controllers conduct and document data protection impact assessments (DPIAs) in advance of certain high-risk processing activities. These assessments are required for processing activities that involve:

• Sensitive data
• Personal data for the purposes of targeted advertising
• The sale of personal data
• Profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment of consumers or disparate impact on consumers
• Any processing activities that present a heightened risk of harm to consumers

A DPIA must identify and weigh the benefits of the processing against the potential risks to consumers, and must document the measures the controller is implementing to mitigate those risks. The MCDPA allows the Attorney General to request that a controller disclose a DPIA as part of an enforcement investigation. Controllers whose DPIAs were not conducted in good faith — or who lack DPIAs for required activities — face significant enforcement exposure.

Enforcement: The Minnesota Attorney General and Private Rights of Action

The MCDPA is enforced exclusively by the Minnesota Attorney General — there is no private right of action for individual consumers to sue for violations. The AG has the authority to seek civil penalties of up to $7,500 per violation. Before bringing an enforcement action, the AG must provide a 30-day cure notice to the alleged violator; however, this cure period expires in 2026, after which violations can be prosecuted without an opportunity to cure.

Businesses should also be aware that MCDPA violations may independently support claims under Minnesota’s consumer fraud statutes or the FTC Act, even if the MCDPA itself does not provide a private right of action. Federal and state regulators have increasingly treated privacy policy misrepresentations as unfair or deceptive trade practices subject to independent enforcement action.

Contact the Data Privacy Attorneys at Revision Legal

Compliance with the Minnesota Consumer Data Privacy Act requires a comprehensive, documented program — not just a revised privacy policy. The Data Privacy Attorneys at Revision Legal help businesses build MCDPA compliance programs, conduct data mapping, draft DPAs, and prepare data impact assessments. Contact us through the form on this page or call (855) 473-8474.