IN THIS PAGE
- Scope of the law
- Key aspects of the law
- Application
On May 24, 2024, the Governor of Minnesota signed into law Senate Bill 4757, a trade-related bill containing the Minnesota Consumer Data Privacy Act (the ‘Act’). The law, which goes into effect on July 31, 2025, aims to give Minnesota consumers more rights regarding their personal data.
Scope of the law
The Act affects businesses located in Minnesota or that offer products or services to Minnesota residents and meet certain thresholds with respect to the control or processing of personal data. Specifically, it applies to:
(i) those that handle (during a calendar year) the personal data of 100,000 or more consumers (excluding data for payment transactions) or those that handle the personal data of 25,000 or more consumers if such companies obtain more than 25% of your gross income from the sale of personal data; either
(ii) those who are technology providers and contract with educational agencies and institutions pursuant to Minnesota Statute § 13.32.
The Act exempts several categories of entities, including government entities, federally recognized American Indian tribes, chartered banks or credit unions, and insurance companies. It also exempts certain data governed by other regimes, including financial data regulated by the Gramm-Leach-Bliley Act, protected health information governed by the Health Insurance Portability and Accountability Act, and consumer credit report data. Small businesses, as defined by federal standards, are also exempt, but must still obtain consent to sell sensitive personal data.
Key aspects of the law
The Act provides specific rights to consumers who are residents of the state of Minnesota and who are acting in a personal or household capacity, not in a business or employment context, subject to certain criteria, exemptions and limitations. These rights include:
- Verification and access: Consumers have the right to confirm whether or not a company is processing their personal data and to access that personal data.
- Correction: Consumers have the right to correct any inaccuracies in their personal data.
- Suppression: Consumers have the right to have their personal data deleted.
- Data portability– Consumers have the right to obtain a copy of their personal data in a usable format.
- Opt-Out Rights: Consumers can opt out of having their personal data used for targeted advertising, sold, or used in profiling.
- Third Party Disclosure– Consumers may request a list of third parties to whom their data has been disclosed.
The Act also contains obligations for applicable companies, such as limiting the collection of personal data, requiring consent for the use of secondary data, and conducting data privacy assessments. Under the law, applicable companies must provide clear privacy notices, notify consumers about important changes, and offer withdrawal options.
While the Act includes provisions similar to those granted under other comprehensive privacy laws of other U.S. states, the Act also has certain distinctive features, including:
- Profiling decision rights. If a consumer’s personal data is used to make a profiling decision against them, the Law gives consumers the right to (i) know the reason behind such a decision and, if possible, what actions could be taken led to a different result and what actions may change future decisions and (ii) review the data used in the profiling decision, correct any inaccuracies and re-evaluate such decision based on correct data (as set out in Section 6). 1)(g) of the Law).
- Expansion of consumer rights. The Act gives consumers (i) the right to obtain from a business a list of third parties to which the business has disclosed the consumer’s personal data or, if the business does not maintain this information in a consumer-specific format, a list of third parties to whom the company has disclosed personal data, (ii) the right to request that a company delete all personal data relating to the consumer, and (iii) the right to appeal a company’s refusal to take action on a request to exercise an individual consumer right by such business (as set out in Section 6(1)(h), Section 6(1)(d)(4)(f) and Section 6( 5) of the Law, respectively).
- A data processing agreement (“DPA”) is required. The Act requires companies to enter into DPAs with all third parties that process personal data on their behalf (as set out in Section 5(c) of the Act).
- Protection for teenagers. The Act explicitly prohibits companies from processing consumers’ personal data for the purposes of targeted advertising when the company knows that the consumer is between 13 and 16 years of age (as set out in Section 8(2)(f) of the Act). .
- Maintain an inventory of personal data. The Law requires companies to establish, implement and maintain reasonable administrative, technical and physical security measures to protect the confidentiality of personal data, including maintaining an inventory of any personal data that must be managed to achieve such measures (as set forth in Article 8(2)(c) of the Law).
Application
The Act will be enforced by the Minnesota Attorney General’s Office. Violations of the Act may result in civil penalties, with fines reaching up to US$7,500 for each instance of non-compliance.
The law is available. hereand legislative history here.
(See source.)
Keynote USA
For the Latest Local News, Follow Keynote USA Local on Twitter.