The Minnesota Consumer Data Privacy Law (Part One): What Businesses Should Know featured image

The Minnesota Consumer Data Privacy Law (Part One): What Businesses Should Know

by John DiGiacomo

Partner

Internet Law

In May 2024, Minnesota was the 19th State to enact a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). For most businesses, the MCDPA will become effective at the end of July 2025. The mandates and obligations imposed by the MCDPA on covered businesses are numerous. As such, we will split this article into two parts. In this Part One, the Consumer Data Protection Attorneys at Revision Legal discuss the portion of the MCDPA mandates related to consumers.

Like most of these State-level consumer data protection statutes, the focus is on data “controllers” and “processors” along with various “rights” given to consumers with respect to how their data is collected, processed, shared, and stored. The MCDPA applies in a manner that is similar to other statutes of this kind. That is, the Act applies to persons and entities that conduct business in Minnesota or that target Minnesota residents and that meet either of the following:

  • Controls or processes data of 100,000 Minnesota consumers (except where processing is only for completing a payment transaction and the consumer data is not retained) OR
  • Derives more than 25% of gross revenue from the sale of personal data AND processes or controls the personal data of at least 25,000 Minnesota consumers

As with all of these statutes, certain types of businesses, such as banks, many health-related entities, governments, etc., are excluded. The MCDPA also partially exempts small businesses (as such are defined by the U.S. Small Business Administration). However, these small businesses are not entirely exempt, so, for example, they must still obtain consumer consent before selling consumer “sensitive data.” Also notable is the lack of exemption for non-profit entities and the explicit inclusion of “technology providers” for colleges, universities, and other higher education entities. This is something new in the MCDPA and is only vaguely defined.

These statutes also typically exclude various categories of data from coverage, and the usual exclusions are found in the MCDPA. Like most of these Statutes, personal data collected from consumers is covered by the MCDPA but not if the consumer is acting in a commercial or employment capacity.

In terms of consumer-facing mandates, the MCDPA requires that controllers of data provide notices and disclosures to consumers, obtain consent from consumers for certain types of processing, and honor certain consumer rights granted by the Act. Some of these rights allow consumers to make requests for data controllers (such as a request to know what data has been collected about a consumer). The MCDPA mandates that businesses respond quickly to these requests (45 days) and to create and maintain a process for consumers to appeal the denial of any request.

The list of consumer rights included in the MCDPA is typical of these statutes. However, the MCDPA has added another set of consumer rights when profiling is used in automated decision-making. Examples might include a consumer request for credit or insurance. When this type of process is used, the MCDPA gives consumers several additional rights:

  • To request information about the decision-making process
  • To be informed why the automated decision-making process using profiling resulted in the decision that was made
  • To be informed of any actions or behaviors that the consumer might have taken or might take in the future to obtain a different result
  • To obtain a reevaluation of the decision if the consumer accesses and corrects incorrect data

This set of consumer rights and mandates on data controllers is not present in any similar statute. Businesses that use an automated decision-making process using profiling must provide a mechanism for a consumer to activate these rights.

In Part Two of this article, we will examine other compliance obligations imposed by the MCDPA.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.

Extra, Extra!
Recent Posts

Can I Trademark a Non-English Word or Phrase in the U.S.?

Can I Trademark a Non-English Word or Phrase in the U.S.?

Trademark

Yes, as long as the proposed trademark meets the other requirements for registration. U.S. trademark laws do not require that only the English language can be used for trademarks. However, whatever the language, trademarks must meet the legal requirements, including functionality, distinctiveness, uniqueness, etc. For example, every trademark must function as a trademark in that […]

Read more about Can I Trademark a Non-English Word or Phrase in the U.S.?

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Internet Law

In a new ruling, a California federal judge has declared the entirety of California’s Age-Appropriate Design Code Act (“CAADCA”) to be unconstitutional. Cal. Civ. Code §§ 1798.99.28 et seq. See media report here and the Opinion here. The case is Netchoice, LLC. v. Bonta, Case No. 22-cv-08861-BLF (US N.Dist. Cal, March 13, 2025). The CAADCA […]

Read more about California’s Age-Appropriate Design Code Act Declared Wholly Unconstitutional

Put Revision Legal on your side