In May 2024, Minnesota was the 19th State to enact a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). For most businesses, the MCDPA will become effective at the end of July 2025. The mandates and obligations imposed by the MCDPA on covered businesses are numerous. As such, we will split this article into two parts. In this Part One, the Consumer Data Protection Attorneys at Revision Legal discuss the portion of the MCDPA mandates related to consumers.

Like most of these State-level consumer data protection statutes, the focus is on data “controllers” and “processors” along with various “rights” given to consumers with respect to how their data is collected, processed, shared, and stored. The MCDPA applies in a manner that is similar to other statutes of this kind. That is, the Act applies to persons and entities that conduct business in Minnesota or that target Minnesota residents and that meet either of the following:

• Controls or processes data of 100,000 Minnesota consumers (except where processing is only for completing a payment transaction and the consumer data is not retained) OR
• Derives more than 25% of gross revenue from the sale of personal data AND processes or controls the personal data of at least 25,000 Minnesota consumers

As with all of these statutes, certain types of businesses, such as banks, many health-related entities, governments, etc., are excluded. The MCDPA also partially exempts small businesses (as such are defined by the U.S. Small Business Administration). However, these small businesses are not entirely exempt, so, for example, they must still obtain consumer consent before selling consumer “sensitive data.” Also notable is the lack of exemption for non-profit entities and the explicit inclusion of “technology providers” for colleges, universities, and other higher education entities. This is something new in the MCDPA and is only vaguely defined.

These statutes also typically exclude various categories of data from coverage, and the usual exclusions are found in the MCDPA. Like most of these Statutes, personal data collected from consumers is covered by the MCDPA but not if the consumer is acting in a commercial or employment capacity.

In terms of consumer-facing mandates, the MCDPA requires that controllers of data provide notices and disclosures to consumers, obtain consent from consumers for certain types of processing, and honor certain consumer rights granted by the Act. Some of these rights allow consumers to make requests for data controllers (such as a request to know what data has been collected about a consumer). The MCDPA mandates that businesses respond quickly to these requests (45 days) and to create and maintain a process for consumers to appeal the denial of any request.

The list of consumer rights included in the MCDPA is typical of these statutes. However, the MCDPA has added another set of consumer rights when profiling is used in automated decision-making. Examples might include a consumer request for credit or insurance. When this type of process is used, the MCDPA gives consumers several additional rights:

• To request information about the decision-making process
• To be informed why the automated decision-making process using profiling resulted in the decision that was made
• To be informed of any actions or behaviors that the consumer might have taken or might take in the future to obtain a different result
• To obtain a reevaluation of the decision if the consumer accesses and corrects incorrect data

This set of consumer rights and mandates on data controllers is not present in any similar statute. Businesses that use an automated decision-making process using profiling must provide a mechanism for a consumer to activate these rights.

In Part Two of this article, we will examine other compliance obligations imposed by the MCDPA.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.