Minnesota Gov. Tim Walz recently signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the 18th state to enact a comprehensive consumer data privacy law. The Act will go into effect July 31, 2025.

There were a number of consumer data privacy bills in play during the state’s legislative session that never made it to the finish line. Ultimately, the Act hitched a ride in a bill related to appropriations, cannabis policy, and commerce policy.

Minnesota joins the following states to have enacted privacy laws: California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, OregonDelawareNew Jersey, New HampshireKentucky, Nebraska, and Maryland.

Applicability

The Minnesota Consumer Data Privacy Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:

  1. During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  2. Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.

Exemptions

Exemptions include, but are not limited to:

  1. Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;
  2. Protected health information under the Health Insurance Portability and Accountability Act of 1996;
  3. The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
  4. Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.

Consumer Rights

Consumers have the right to:

  1. Confirm whether a controller is processing their personal data;
  2. Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data;
  3. Delete personal data concerning the consumer;
  4. Obtain a portable copy of their personal data to the extent technically feasible, in a readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
  5. Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer;
  6. Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;
  7. Obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data or, if the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data.

Sensitive Data

A controller may not process sensitive data concerning a consumer without obtaining the consumer’s consent.

“Sensitive data” is:

  1. Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
  2. The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
  3. The personal data of a known child; or
  4. Specific geolocation data.

Contract Requirements

A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:

  1. Ensure that each person processing personal data is subject to a duty of confidentiality;
  2. Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
  3. Establish, implement, and maintain reasonable data security practices;
  4. Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;
  5. Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;
  6. Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller’s designated assessor.

Data Protection Assessments

A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:

  1. The processing of personal data for purposes of targeted advertising;
  2. The sale of personal data;
  3. The processing of sensitive data;
  4. Any processing activities involving personal data that present a heightened risk of harm to consumers; and
  5. The processing of personal data for purposes of certain profiling.

Enforcement

The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires Jan. 31, 2026.

MauriceWutscher's Impression

While similar in many respects to some of the post-California comprehensive data privacy laws, the Act ventures farther in some respects, including providing consumers the right to question the results of profiling and to obtain a list of the specific third parties with whom the controller disclosed their personal data. For those aligning compliance with this act with other state laws, careful attention is warranted given the originality of some of the provisions. For a chart comparing the state comprehensive data privacy acts, and more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.


Next Article: CFPB Issues UDAAP Guidance On Contracts for ...

Advertisement