Minnesota Privacy Act 101

James Grieco
James Grieco
May 24, 2024
min read
Minnesota Privacy Act 101

Many American state legislatures wrap up their sessions in May, so we’re nearing the cap of how many states will pass comprehensive data privacy law this year. Minnesota managed to pull off that feat and have their new law, the Minnesota Consumer Data Privacy Act, signed just days later to officially enshrine it into law. 

While we wait to see if the bill Vermont passed will actually be signed by the governor, Minnesota becomes the 18th state with comprehensive data privacy regulation (or 19th, if you count Florida and its Digital Bill of Rights, which does provide data rights to consumers but also heavily targets only a handful of Big Tech companies for compliance). 

Minnesota, a blue state similar to Delaware, Oregon, New Jersey, and Maryland, follows the trend those states have taken recently in making substantial alterations to the basic model for a state privacy law; most of the changes are for the better, giving individuals more rights and organizations more limits on how they can collect and process data.

In fact, the state has created several never-before-seen business requirements that will make it one of the laws corporations and businesses will need to circle when scaling their privacy programs. More on that below.

Minnesota Data Privacy Law at a Glance

One aspect of Minnesota’s data privacy law that does not deviate (much) from the norm is its applicability threshold. Businesses will need to comply if they:

  • Control or process personal data of 100,000+ state consumers, or
  • Control or process the personal data of 25,000+ consumers while deriving more than 25% of gross revenue from the sale of personal data.

100,000 state consumers is the default threshold, and with Minnesota’s population of over 5.7 million, that puts the state in the middle of how strict that threshold is. 

The interesting part of the state’s applicability threshold is actually that Minnesota exempts small businesses as defined by the US Small Business Administration. The only other states to include this criteria are Texas and Nebraska, but neither of those states has a consumer threshold at all, which tend to widen their applicability. 

It will be interesting to see how Minnesota’s exemption combined with the 100,000 figure works in casting the compliance net. That exemption does not mean small businesses can do as they please, as they cannot sell sensitive data without consent from the consumer, a la Texas and Nebraska’s requirements. 

MNCDPA will enter into effect on July 31, 2025, so roughly 14 months after it passed. It features a short, 30-day cure period that will be available to organizations over the first six months of the law, as the cure period ends January 31, 2026.

Minnesota Data Privacy Law Exemptions

Minnesota splits the difference when it comes to exemptions in state privacy bills. Other than California and Colorado, most of the first dozen states to pass privacy laws feature quite lengthy lists of both entity and data-level exemptions.

Newer state laws like Maryland’s Online Data Privacy Act dramatically cut into that list, but the lengths gone to within that bill were obviously too extreme for a state like Minnesota, which is home to a litany of Fortune 500 companies.

Exemptions within MNCDPA include:

  • Government entities
  • Federally recognized Indian tribes (currently unique to Minnesota)
  • Healthcare providers 
  • HIPAA-covered data
  • Gramm-Leach-Bliley Act 
  • Health Care Quality Improvement Act of 1986-covered data
  • Fair Credit Reporting Act
  • Insurance companies
  • Other health and credit report-related data

Despite this long list of exemptions, a few noteworthy entities are not exempt from complying with MNCDPA:

  • Nonprofit organizations
  • Higher education institutions

Nonprofits and higher education are exempt from the vast majority of other state laws, so their lack of inclusion here is an interesting development that will further drive many organizations in those sectors toward data compliance.

The state has provided nonprofits and higher education a grace period however, as those categories will not need to be compliant until July 31, 2029. This gives them ample time to prepare privacy programs that in all likelihood are at a nascent stage currently, considering they have been exempt from most laws until the past few months.

The other major (non)development is that the Minnesota data privacy law does not cover employee data, again leaving California’s CCPA as the only state with signed legislation to do so.

Minnesota Consumer Data Rights

Minnesota’s new law excels when it comes to data rights. Minnesotans (like myself) will have the standard set of rights found in every other state on top of newer and stronger rights only seen in a few other states. 

The list of data rights Minnesota residents have are:

  • Confirm
  • Delete
  • Correct inaccuracies
  • Access
  • Revoke consent
  • Portability
  • Appeal 
  • Opt-out of the sale of data or processing for targeted advertising
  • To see which third parties a controller has shared the specific consumer’s data with 
  • Protections against discriminatory data processing behavior
  • Review and challenge the result of a decision made with profiling technology

The right to see which third parties have gotten access to your data is a gamechanger, and currently only exists in Delaware, Oregon, and Maryland. Likewise, on top of the general anti-discriminatory protections for people who exercise their data rights, Minnesota becomes just the second state after Maryland to include consumer protections against discrimination in data processing itself.

That opens up the door for the last bullet point and a newly created American data right, as Minnesotans can challenge decisions made on the basis of a profile (particularly relevant as more AI algorithms enter the market). This rounds out one of the most robust sets of consumer rights on this side of the Atlantic.

In practice, there is a unique quirk for Minnesotans practicing their data rights as well. Any time an individual exercises any of their data rights, the data controller must inform the individual if the organization has collected any of the following types of sensitive data:

  • Social security number
  • Government ID, such as a driver’s license
  • Financial account number
  • Health insurance information
  • Account passwords or security Q&As
  • Biometric data

This transparency will ensure consumers are more informed about overall data collection practices, and crucially, controllers only confirm if the data has been collected; they must not disclose that information, thus protecting the security of the data.

Even with this requirement, data subject right handling must still operate on the usual 45-day timeline.

Minnesota Data Privacy Law Requirements

The compliance requirements for businesses are where the Minnesota data privacy law stands out from the pack. 

  • Data privacy and protection assessments 
  • Data minimization and duty to avoid secondary use
  • Well marked privacy policies that notify users when changes occur and provides easy access to revoke consent
  • A baseline of data security measures
  • Data processing agreements
  • Full documentation of everything a data controller has done to ensure compliance
  • Appointment of a Chief Privacy Officer or adjacent role
  • Maintenance of an accurate data inventory
  • Data retention limits 

The language around some of the requirements in the MNCDPA is unique, as are various provisions themselves. Data privacy and protection assessments are this law’s version of DPIAs.

A company must conduct DPPAs if it is selling data, processing sensitive data, or engaging in activities such as profiling or targeted advertising. Information to be included in these assessments includes the type of data, the sensitivity of the data, and the processing context. 

This section of the law also enumerates the need for controllers to document their compliance efforts, and calls out a need to provide contact information for a “Chief Privacy Officer” or similar position. Appointing an employee as the head of data privacy operations is a GDPR requirement, but Minnesota becomes the first American state to adopt the requirement.

Minnesota is also the first state to carry over the GDPR principle of data retention limits. The MNCDPA notes controllers cannot maintain data “that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed.”

The most impactful new requirement introduced by Minnesota’s data privacy law is the need to upkeep a data inventory. A data inventory, another name for a data map, is common across enterprises but has never been explicitly required by law … until now. This puts the pressure on organizations to ensure their data inventory is as accurate as possible, which should spur investment in automated tools to carry out the task instead of the tedious nature of manually conducting a data map. 

Additional areas of protection within the MNCDPA focus on children’s data and de-identified and pseudonymized data.

For processing data of known children (defined as those under 13), companies must obtain opt-in, and they also must obtain consent before initiating either targeted advertising or the sale of personal data for individuals between 13 and 16 years old.

For de-identified and pseudonymized data, there are also unique requirements, as controllers, processors, and third parties cannot try to identify the subjects this data refers to if the data was collected only with pseudonymous identifiers. Given “pseudonymized data” is often not truly anonymous, this extra protection should afford more security to standard de-identification processes.

Minnesota Data Privacy Law Enforcement

The Minnesota Consumer Data Privacy Act officially becomes law on July 31, 2025, before numerous states that passed laws before Minnesota did.

There will be a 30-day cure period until January 31, 2026, one of the shortest cure periods on record in the sphere.

Although the Attorney General does not have rulemaking ability, the AG’s office will enforce the law, with each individual violation carrying the typical $7500 fine.

Minnesota Data Privacy Law Preparation

There are so many new and unique requirements to Minnesota’s data privacy law that privacy programs are going to spend much more time studying and preparing for this one in comparison with most state laws.

The now explicit need to keep a data inventory should make data mapping an even more vital aspect of privacy management, but if you want your data map to be accurate and continuous, you need the best solution.

You’re in luck, because MineOS’s data mapping helps identify and classify data with more accuracy than any other software on the market. Don’t believe us? Give it a try with a free, in-depth demo.