Minnesota Passes Consumer Data Privacy Act

Minnesota Passes Consumer Data Privacy Act

Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (“MNCDPA”) into law on May 24, 2024. The MNCDPA will come into effect on July 31, 2025.  The good news is that the bill does not authorize Attorney General rulemaking authority.
To determine if you are a qualified business under the MNCDPA, you must conduct business in Minnesota or produce products or services that target Minnesota residents and satisfy one or more of the following thresholds:
(1)  during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
(2)  derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
Regardless of the number of consumers, there is a complete ban on selling sensitive data without the consumer’s prior affirmative consent.
Consumer Rights.
The MNCDPA applies to Minnesota consumers (i.e., Minnesota residents who act only in an individual or household context and not in a commercial or employment context).
A consumer has the right to:
  • Confirm whether or not a controller is processing personal data concerning the consumer and access the categories of personal data the controller is processing.
  • Correct inaccurate personal data concerning the consumer.
  • Delete personal data concerning the consumer.
  • Obtain personal data concerning the consumer, which the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
  • Opt-out of the processing of personal data concerning the consumer for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of automated decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.
  • Obtain a list of the names of specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead.
  • As to Profiling, the consumer has the right to question the result of the profiling; the reason that the profiling resulted in any given decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future. In addition, the consumer has the right to review the consumer’s personal data used in the profiling. If the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.
The Minnesota privacy law mandates that businesses (“Controllers”) undertake the following privacy related actions and post the same in their online and offline privacy notices:
  • Consumer Requests. Controllers have 45 days to respond to consumer rights requests, with a potential 45-day extension when reasonably necessary.
  • Sensitive or Biometric Data Disclosures. Controllers do not have to produce sensitive information such as Social Security numbers, driver’s license numbers, biometric data, etc. in response to a request to access.
  • Non-Discrimination.  The MNCDPA provides that a “controller shall not process personal data on the basis of a consumer’s or a class of consumers’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.”
  • Data Protection Assessment. A controller must conduct and document a data privacy assessment for specific types of personal data processing activities: processing for targeted advertising; sale of personal data; processing sensitive data; processing activities posing a heightened risk to consumers; profiling that could lead to unfair treatment, financial harm, invasion of privacy, or other significant consumer injury.
  • Universal Opt-Out Mechanisms. Controllers are required to recognize universal opt-out mechanisms (“UOOMs”) to opt consumers out of sales and targeted advertising. There is no delayed effective date for recognizing UOOMs.
  • Processing Agreements. When a controller hires a services provider (“processor”) to handle data, they must sign a binding contract that specifies how data will be processed. The contract covers processing instructions, data confidentiality, subcontractor engagement (subject to controller approval), and subcontractor obligations regarding data protection.
  • Data Minimization. A controller must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed, which must be disclosed to the consumer.
  • Data Security & Inventory.  A controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.
  • Privacy Policy Placement. The MNCDPA includes requirements for placement of the privacy notice, which must be posted online through a conspicuous hyperlink using the word “privacy” on the controller’s website home page or, in the case of a mobile application, the app store page or download page and in the application’s settings menu or in a similarly conspicuous and accessible location.
  • Privacy Notice Material Changes.  Controllers must notify consumers of material changes with respect to the controller’s privacy notice or practices and take “all reasonable electronic measures to provide notification” to affected consumers, “taking into account available technology and the nature of the relationship”.
  • Policies & Procedures. A controller must document and maintain a description of the policies and procedures the controller has adopted.
Enforcement.
The MNCDPA does not contain a private right of action and will be enforced exclusively by the Minnesota Attorney General. The MNCDPA provides a 30-day cure period. The cure provision expires January 31, 2026. Violations are subject to civil penalties up to $7,500 per violation.
Explore our comprehensive CLIClaw Privacy Compliance Library for essential resources and step-by-step guidance to ensure your business is fully compliant.

(Image Credit: iStock Photo)

This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.

Stay Ahead of What's Coming Next

CLIClaw helps you see regulations early, understand what it means, and act before it becomes a problem. Members get plain-English analysis, practical guidance, and early warnings on privacy and compliance issues that directly impact your business. If you work with consumer data, waiting is the riskiest option.
Become a CLIClaw Member
JOIN TODAY