Q&A: How Businesses Must Comply with a New Minnesota State Privacy Law

June 13, 2024
Privacy, Cyber & AI Decoded

On May 24, 2024, Senate Bill 4757, containing a comprehensive Minnesota Consumer Data Privacy Act (MCDA), was signed into law by Minnesota Governor Tim Walz. It will take effect on July 31, 2025.

Who Does the MCDA Apply to?

Similarly to other state privacy laws, the MCDA applies to:

  1. legal entities that conduct business in Minnesota, or
  2. produce products or services that are targeted to Minnesota residents and that satisfy one or more of the following thresholds:

(a) during a calendar year, control or process personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or

(b) derive over 25 percent of gross revenue from the sale of personal data and process or control the personal data of 25,000 consumers or more.

The MCDA also applies to technology providers who contract with a public educational agency or institution to provide a school-issued device for student use and create, receive, or maintain educational data pursuant to or incidental to a contract with a public educational agency or institution.

Does Your Business Fall Within an Exception? 

The MCDA provides exemptions similar to what other states have exempted from coverage, including:

The MCDA also excludes certain types of businesses, such as:

Which Key Provisions Should My Business Look Out For?

1. Requirement of a Written Agreement Between a Controller and a Processor

The MCDA, like the California Consumer Privacy Act (CCPA), requires an agreement to be reached between the controller and the processor that sets out processing instructions that are binding to the processor.

The agreement must also address other matters listed by the MCDA, such as the processor's obligation to delete or return all personal data at the controller's choice and allowing and contributing to reasonable assessments and inspections by the controller or the controller's designated assessor.

2. Consumer Rights

The MCDA provides a list of consumer rights that include:

The MCDA specifies that the controller shall respond to the consumer’s request without undue delay and within 45 days of receipt at the latest. It is worth noting that no waiver of consumer rights is deemed enforceable under the MCDA.

3. The Right to Opt Out

The MCDA also equips consumers with the right to opt out of the processing of personal data for purposes of targeted advertising, selling personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer. 

Such right shall be facilitated through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of any processing or sale.

5. Putting an Appeal Process in Place

According to the MCDA, the controller should establish and make available an internal process whereby a consumer may appeal a refusal to take action on a request to exercise any of the consumer rights.

Privacy Notice

The controller is obligated to provide a privacy notice that shall:

Every time such a Minnesota privacy notice is amended,  consumers affected by the change must be notified so that they can withdraw their consent.

Data Privacy Protection Assessment

When sensitive data is processed, personal data is sold, processed for purposes of targeted advertisement, profiling, or whenever processing involves personal data that presents a heightened risk of harm to consumers, the controller is obligated to conduct and document a data privacy protection assessment. 

How and When is the Act Enforced?

The MCDA will be enforced by the Minnesota Attorney General starting July 31, 2025. It does not provide for a private right of action.