Minnesota Consumer Data Privacy Act (MCDPA)

The Minnesota House of Representatives passed the Minnesota Consumer Data Privacy Act (MCDPA) on May 10th, 2024, and Governor Tim Walz signed it into law on May 24th, 2024. It will take effect on July 31, 2025 for most covered entities.

This article explains what the Minnesota Consumer Data Privacy Act (MCDPA) is, who it applies to, what it requires, how to comply with the MCDPA, and the penalties for not complying.

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) is a privacy law that gives Minnesota consumers certain rights relating to their personal information and outlines the rules that businesses must follow when collecting or processing consumers' personal data.

What Consumer Rights Does the Minnesota Consumer Data Privacy Act (MCDPA) Grant?

Consumer rights under the Minnesota Consumer Data Privacy Act (MCDPA) include:

• The right to know if their personal data is being processed
• The right to access their personal data
• The right to correct their personal data
• The right to delete their personal data
• The right to obtain a copy of their personal data
• The right to opt out of certain data processing activities
• The right to question any profiling that results in legal effects and to be informed as to whether they could take any actions to create a different result in the future
• The right to review any personal data used in profiling activities
• The right to have profiling decisions reevaluated if the personal data the profiling was based on was inaccurate
• The right to obtain a list of any third parties personal data has been disclosed to
• The right to not be discriminated against for exercising their rights

Section 6 [325O.05], Subdivision 1 of the Minnesota Consumer Data Privacy Act (MCDPA) explains consumers' rights under the law, including the right to edit or delete their personal data and the right to opt out of certain data processing activities:

Who Does the Minnesota Consumer Data Privacy Act (MCDPA) Apply to?

The Minnesota Consumer Data Privacy Act (MCDPA) applies to companies that do business in Minnesota or offer goods or services to Minnesota residents, and meet at least one of the following criteria:

• Control or process personal data belonging to at least 100,000 consumers per year (not counting data used solely for payment transactions), and/or
• Get more than 25% of their gross revenue from selling personal data and process or control personal data belonging to at least 25,000 consumers

The Minnesota Consumer Data Privacy Act (MCDPA) refers to entities that decide why and how to process consumers' personal data as controllers, while those that process personal data for a controller are called processors.

Section 4 [325O.03], Subdivision 1 of the Minnesota Consumer Data Privacy Act (MCDPA) explains that the law applies to entities that do business in Minnesota or provide products or services to Minnesota residents and meet its thresholds:

Who is Exempt From the Minnesota Consumer Data Privacy Act (MCDPA)?

The Minnesota Consumer Data Privacy Act (MCDPA) does not apply to certain entities and types of information, including:

• Government agencies
• Federally-recognized Indian tribes
• Protected health information
• Patient identifying information
• Information subject to certain laws, such as the Gramm-Leach-Bliley Act and the Family Education Rights and Privacy Act
• Employee data
• Information used solely for payment transactions where no consumer data is retained

Section 4 [325O.03], Subdivision 2 of the Minnesota Consumer Data Privacy Act (MCDPA) describes the organizations and categories of information that are exempt from the law, including government entities and protected health information:

What Does the Minnesota Consumer Data Privacy Act (MCDPA) Require?

The Minnesota Consumer Data Privacy Act (MCDPA) requires applicable controllers and processors to meet the following requirements:

• Maintain a clearly written, easily accessible Privacy Policy
• Provide consumers with a way to exercise their rights
• Respond to consumer requests
• Give consumers a way to opt out of certain data processing activities
• Maintain a contract between controllers and processors
• Keep consumers' personal data safe
• Get consumer consent before engaging in certain data processing activities
• Conduct and record any necessary data privacy and protection assessments (audits of their privacy practices)

How to Comply With the Minnesota Consumer Data Privacy Act (MCDPA)

There are a few guidelines you should follow to comply with the Minnesota Consumer Data Privacy Act (MCDPA), including maintaining a Privacy Policy, providing opt-out mechanisms, and responding to consumer requests, among others.

Let's take a look at some of the steps you can take to comply with the Minnesota Consumer Data Privacy Act (MCDPA).

Maintain a Privacy Policy

The Minnesota Consumer Data Privacy Act (MCDPA) requires applicable businesses to maintain a clearly written, easily accessible Privacy Policy.

To comply with the law, your Privacy Policy should contain the following clauses:

• The types of personal data you process
• Your reasons for processing personal data
• A list of consumers' rights under the law
• A description of how consumers can exercise their rights
• The types of personal data you sell to or share with third parties
• The kinds of third parties with whom you sell or share personal data
• Your contact information
• An explanation of your data retention policies
• The date your Privacy Policy was last updated
• A disclosure of certain data processing activities that includes a way for consumers to opt out

Section 8 [325O.07], Subdivision 1 of the Minnesota Consumer Data Privacy Act (MCDPA) explains that applicable businesses must have a Privacy Policy that contains clauses about how they handle consumers' personal data:

Let's take a look at some examples of each of these clauses.

What Personal Data You Process

Your Privacy Policy should list the types of personal data you process. Be as specific and detailed as possible, while remaining accurate.

Aeon's Privacy Policy describes the types of personal information it collects from users, including data about their location, demographics, and online behavior, as well as their names and email addresses:

Why You Process Personal Data

This clause explains your reasons for processing consumers' personal data. You should limit data processing to that which is necessary to fulfill these purposes, and notify consumers and get their consent before processing their personal data if your reasons change in the future.

Target's Privacy Policy explains why it uses consumers' personal information, including to process transactions, identify fraud, and improve the user experience:

Consumers' Rights

This clause lists consumers' privacy rights. It should contain a description of how consumers can exercise their rights, including how they can appeal any decisions you make in response to their requests.

Siemens' Privacy Notice lists some of the rights its users may have, including the right to correct and delete their personal data and the right to withdraw their consent to have their personal data processed:

Apple's Privacy Policy explains that users can exercise their privacy rights by visiting its Apple Data and Privacy Page:

What Personal Data You Sell to or Share With Third Parties

You should explain what types of personal data you sell to or share with third parties. This can be for things such as completing a business merger, or complying with legal demands.

Medtronic's Website Privacy Statement explains that it may share personal information such as users' names and email addresses with third-party vendors:

What Third Parties You Disclose or Sell Personal Data to

This clause lists the categories of third parties with whom you sell or share consumers' personal data.

UnitedHealth Group's Privacy Policy explains that it may share personal information with its affiliates and service providers, among other third parties:

Your Contact Information

You should give users a way to get a hold of you, including at least one online contact method.

Best Buy's Privacy Policy includes an email address where users can send privacy-related questions or concerns:

Your Data Retention Policies

This clause explains how long you retain personal data and what you do when you're done with it. The MCDPA requires applicable businesses to only keep personal data for as long as necessary to fulfill their purposes.

Cargill's Privacy Policy explains that it keeps consumers' personal information for only as long as necessary, after which it will either delete or anonymize the data:

List of Certain Data Processing Activities and Opt-Out Method

You should let consumers know if you engage in any of the following data processing activities:

• Selling personal data to third parties
• Processing personal data for targeted advertising purposes
• Using personal data for profiling that could result in legal or similar effects regarding a consumer

You will also need to provide a way for consumers to opt out of these data processing activities. The opt-out method needs to be accessible outside of the Privacy Policy, and should include a clearly labeled link that says either "Your Opt-Out Rights" or "Your Privacy Rights." The link should take users directly to a page where they can complete their opt-out request.

Walmart's Privacy Notice describes how users can opt out of interest-based advertising via its advertising settings or by following links to specific advertising groups:

How to Display Your Privacy Policy

Once your Privacy Policy is written, you must put it somewhere users can easily find it.

The Minnesota Consumer Data Privacy Act (MCDPA) requires applicable businesses to use the word "Privacy" in their hyperlink and to put the link in a conspicuous location on their homepage, app store page or download page, and in their mobile app settings menu.

It's good practice to link your Privacy Policy within your website footer, as well as wherever you collect personal information.

Businesses commonly put links to their Privacy Policies in the following locations:

• Website footer
• In-app menu
• Checkout page
• Account creation/sign-in page
• Newsletter subscription area

Carlson includes a link to its Privacy Policy in its website footer:

Respond to Consumer Requests

Businesses must give consumers a way to exercise their rights and respond to consumer requests regarding their personal data.

You must notify the consumer of any actions taken or of your decision not to take action in response to their request within 45 days of receiving the request.

You can extend this period of time once by an additional 45 days if necessary, as long as you inform the consumer of the reasons for the extension within the initial 45-day period.

If you don't take the requested action, you must let the consumer know of your reasons for not taking action and how they can appeal your decision.

You have 45 days after receiving an appeal to inform consumers of your decision regarding their appeal. You can extend this period of time by 60 days if necessary as long as you inform the consumer of the reasons for the delay.

If you deny the consumer's appeal, you must provide them with an online method for contacting the attorney general and instructions for how to file a complaint.

Section 6 (325O.05), Subdivision 4 of the Minnesota Consumer Data Privacy Act (MCDPA) lists its requirements for controller responses to consumer requests, including responding to requests within 45 days:

Provide Opt-Out Mechanisms

In addition to responding to consumer requests concerning their rights, businesses must provide a way for consumers to opt out of the use of their data for certain activities.

You may need to provide consumers with an opt-out mechanism if you sell their personal data or use it for targeted advertising (advertising based on a user's online behavior) or certain profiling purposes.

Among other requirements, the opt-out mechanism must:

• Not depend on a default setting
• Require the consumer to actively choose to opt out of the processing of their personal data
• Be easy to use
• Enable you to identify the consumer as a Minnesota resident
• Let users know if their choice to opt out will affect their access to any of your services

Section 6 (325O.05), Subdivision 3 of the Minnesota Consumer Data Privacy Act (MCDPA) explains that opt-out mechanisms should be easy to use and require consumers to make a clear choice to opt out of certain data processing activities:

Maintain a Contract Between Data Controllers and Processors

Data controllers and data processors (and any subcontractors) should have a contract in place that details the instructions for and nature of data processing activities.

The contract should ensure that personal data is kept confidential and list:

• The type of data to be processed
• The length of the data processing
• The rights and responsibilities of both parties

Section 5 [325O.04] explains the contractual obligations of data controllers and processors, including explaining the nature of the data processing activities and ensuring the confidentiality of personal data:

Implement Security Measures

You should use administrative, technological, and physical safeguards that are appropriate to the amount and types of personal data you process to protect consumers' personal data.

Security measures can include:

• Only allowing trained staff to access confidential information
• Locking doors and filing cabinets, using security cameras, and employing security guards
• Using encryption and antivirus software

Section 8 [325O.07], Subdivision 2 of the MCDPA explains that businesses must implement appropriate safety measures to keep the personal data they process secure:

Get Consent

You must provide a way for consumers to give and revoke their consent for certain data processing activities.

Obtaining consent in the context of privacy laws means getting a user's agreement to allow you to process their personal data.

For consent to be valid under the Minnesota Consumer Data Privacy Act (MCDPA), it must be "freely given, specific, informed, and unambiguous." Getting a user to accept the terms of a legal agreement that describes how you process personal data but also contains unrelated information does not count as consent under the law.

Section 3 [35O.02) of the Minnesota Consumer Data Privacy Act (MCDPA) explains that consent must clearly signal a consumer's choice to allow the processing of their personal data:

The Minnesota Consumer Data Privacy Act (MCDPA) requires businesses to get consent before engaging in the following data processing activities:

• Processing sensitive data
• Processing personal data belonging to consumers between the ages of 13 and 16 for targeted advertising purposes
• Selling personal data belonging to consumers between the ages of 13 and 16

While some small businesses may be exempt from many of the MCDPA's requirements, the law does require small businesses to get consent from consumers before selling their sensitive data.

Sensitive personal data is a special category of personal data that can include:

• Race or ethnicity
• Religion
• Health conditions
• Sexual orientation
• Citizenship or immigration status
• Biometric or genetic data used to identify an individual
• Data belonging to a child
• Specific geolocation information

Section 8 [325O.07], Subdivision 2 of the Minnesota Consumer Data Privacy Act (MCDPA) explains that businesses must get consumer consent before processing sensitive data or using personal data for certain data processing activities:

The mechanism for revoking consent must be as easy and accessible as that used to get consent. Once a consumer revokes their consent, you have 15 days to stop processing their personal data.

Conduct Data Privacy and Protection Assessments

The Minnesota Consumer Data Privacy Act (MCDPA) requires you to conduct a data privacy and protection assessment for each of the following data processing activities:

• Processing personal data for targeted advertising purposes
• Selling personal data
• Processing sensitive data
• Any activities that involve an elevated risk of harm to consumers
• Processing personal data for profiling purposes that could result in harm to consumers

The data privacy and protection assessment should contain a risk-benefit analysis for each of these activities and include a description of your privacy practices.

Section 10 [325O.08] of the Minnesota Consumer Data Privacy Act (MCDPA) explains the information that a data privacy and protection assessment should contain, including a description of the risks and benefits of certain data processing activities:

What are the Penalties for Non-Compliance with the Minnesota Consumer Data Privacy Act (MCDPA)?

If the attorney general finds an organization to be in violation of the MCDPA, they will send them a warning letter.

If the organization does not cure the violation within 30 days, the attorney general may bring civil action against the organization. Anyone found in violation of the law may be subject to an injunction and civil penalties of up to $7,500 per violation.

Section 12 [325O.10] of the Minnesota Consumer Data Privacy Act (MCDPA) explains that controllers or processors that breach the law may face penalties of up to $7,500 for each violation:

Summary

The Minnesota Consumer Data Privacy Act (MCDPA)is Minnesota's comprehensive data privacy law. It gives consumers privacy rights and details the rules applicable organizations must follow when handling Minnesota residents' personal information.

Organizations that either do business in Minnesota or provide goods or services to Minnesota residents and meet the law's thresholds must comply with the MCDPA.

The law applies to organizations that:

• Control or process personal data belonging to 100,000 consumers or more each year (for purposes other than payment transactions), and/or
• Get at least 25% of their gross revenue from selling personal data and process or control the personal data of more than 25,000 consumers

The Minnesota Consumer Data Privacy Act (MCDPA) does not apply to certain entities and types of information, including government agencies and protected health information.

The Minnesota Consumer Data Privacy Act (MCDPA) requires applicable organizations to:

• Maintain a Privacy Policy that is accessible from their websites and/or apps
• Give consumers a way to exercise their rights
• Respond to consumer requests
• Provide opt-out mechanisms
• Maintain a contract between controllers and processors
• Keep personal data secure
• Get consumer consent before engaging in certain data processing activities
• Conduct data privacy and protection assessments for certain data processing activities

A MCDPA-compliant Privacy Policy should contain the following clauses:

• What personal data you process
• Why you process personal data
• A description of consumers' rights and an explanation of how they can exercise them
• What personal data you sell to or share with third parties
• What third parties you sell personal data to or share personal data with
• Your contact information
• Your data retention policies
• A description of data processing activities that consumers can opt-out of that includes a link to your opt-out mechanism

Anyone who violates the Minnesota Consumer Data Privacy Act (MCDPA) may face penalties of up to $7,500 per violation.