The Minnesota Consumer Data Privacy Law: Summary For Consumers

In May 2024, Minnesota enacted a consumer data privacy statute called the Minnesota Consumer Data Privacy Act (“MCDPA”). About 20 States have enacted consumer data privacy statutes similar to the MCDPA, and the MCDPA follows the general template of those statutes. However, there are some unique and additional features of the MCDPA that are very “pro-consumer.” In this article, the Consumer Data Protection Attorneys at Revision Legal provide a summary of the MCDPA relevant to consumers.

Like similar statutes, the MCDPA attempts to protect consumer data privacy through a notice/consent and business mandates framework. Under the MCDPA, consumers are given various rights related to how their personal data is collected, processed, shared, stored, and deleted. Note that, like many other similar statutes, the MCDPA only protects consumer data when a person is acting as a consumer but not when a person is acting in a business or employment capacity. The MCDPA includes these standard rights for consumers:

Right to notice and to give consent — consumers have a right to receive a privacy notice from controllers of data and to give consent for such things as processing “sensitive data,” having data used for targeting advertising, etc.
Expanded right to new disclosures and consent options when policies are changed — the MCDPA adds an expanded right that new disclosures (and consent options) must be sent to impacted consumers when a business makes material changes in its privacy policies; consumers have the right to the new disclosure statements and to be given new opt-out and consent options
Right to know — consumers have the right to know if a business is collecting and processing their personal and sensitive data
Right to access — this is the right to have access to the data collected and stored by a business
Right to portability — this is the right to have a copy of the data collected and stored where the copy is in such a form as can be provided/downloaded/imported to another business
Right to know with whom data is shared — this is the right to know with whom personal data is being shared
Expanded right to know specifics — the MCDPA adds an expanded right that allows consumers to know specifically with whom their data is shared (if possible); that is, controllers must specifically identify a company or person with whom consumer data is shared (if possible)
Right to correct — this is the right to correct inaccurate data held by a controller
Right to opt-out — under the MCDPA, the opt-out right relates to opting out of having their data used for targeted advertising, the sale of data, and use of personal data for profiling for purposes of automated decision-making that results in legal or significant effects
Right to speedy action — this is the right to have, upon request, a business act quickly (within 45 days) after receiving a consumer’s request
Right to appeal non-action or negative action — this is the right to have a mechanism, internal to the business, to appeal a non-action or negative action made by the business after a consumer’s request
Right to UOOMS — this is a consumer’s right to use a universal opt-out mechanism (“UOOMs”), like a browser or other setting/device, to apply their opt-out choices to each website visited; the MCDPA requires businesses to honor such UOOMs
Children’s right to no processing — the MCDPA prohibits businesses from processing any personal data of a “known child” (under the age of 16) for certain types of processing (like for targeted advertising)
Parent’s right to consent — the MCDPA grants parents the right to consent, on behalf of their children, for other types of data processing

As noted, as of now, the above is the basic and standard set of consumer rights granted by most of these consumer data protection statutes. However, as noted, the MCDPA has added another set of consumer rights for circumstances where profiling is used in automated decision-making. These new consumer rights are unique — for now — to the MCDPA. When profiling is used in automated decision-making processes, the MCDPA gives consumers the following additional rights:

Right to know about the decision-making process — that is, the right to know what data was profiled and how it was used in the automated process
Right to know why — that is, the right to know why (or what factors led to) the decision that was made using profiling in an automated decision-making process
Right to know what could be changed to obtain a different result — that is, where possible, consumers have a right to be informed of actions or behaviors that the consumer might have taken or might take in the future to obtain a different result
Right to reevaluation — that is, consumers have a right, under some circumstances, to a reevaluation of the decision made using profiling with an automated decision-making process

As noted, these additional rights are unique to the MCDPA. Businesses must provide a mechanism for consumers to activate these rights.

If consumers think that their rights under the MCDPA have been violated, complaints can be made with the Office of the Minnesota Attorney General who is tasked with enforcing the law. Businesses that violate the MCDPA can be fined $7,500 per violation and, depending on the facts, can face punishments under the Minnesota anti-discrimination laws.

Contact the Consumer Data Privacy and Compliance Attorneys at Revision Legal

For more information, contact the experienced Consumer Data Privacy and Compliance Lawyers at Revision Legal. You can contact us through the form on this page or call (855) 473-8474.