Who Is Covered?
The MCPA covers legal entities that conduct business in Minnesota or produce products or services targeted to state residents, and that satisfy one or more of the following:
- During a calendar year, control or process the personal data of at least 100,000 consumers (excluding payment transactions).
- Derive over 25% of gross revenue from the sale of personal data and process or control the personal data of at least 25,000 consumers.
Unlike the California Consumer Privacy Act and other state data privacy laws, there is no broad exemption in the MCPA for nonprofits. Businesses and nonprofit organizations must review their privacy policies and practices to assure compliance and avoid enforcement actions by the Minnesota Attorney General’s office.
MCPA Exemptions
The MCPA includes exemptions for certain types of businesses and data. Governmental entities, federally recognized Indian tribes, “small businesses” as defined by the U.S. Small Business Administration regulations, air carriers under the Airline Deregulation Act, and certain kinds of banks, credit unions and insurance companies are exempt.
The data-level exemptions are consistent with most other state privacy laws. Specifically, the Minnesota Act exempts data regulated by HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, the Minnesota Insurance Fair Information Reporting Act and various other regulations.
Enhanced Privacy Rights for Consumers
The MCPA contains obligations that largely follow provisions in other comprehensive state privacy laws. The MCPA provides consumers with the right to:
- Confirm whether a controller is processing personal data about the consumer, and to access the categories of personal data processed by the controller;
- Correct inaccurate personal data concerning the consumer, taking into account the nature of the data and purposes of processing;
- Delete the consumer’s personal data (subject to exceptions);
- Obtain a copy of personal data that the consumer previously provided to the controller, where the data processing is conducted by automated means; and
- Obtain a list of the specific third parties to whom the controller disclosed the consumer’s personal data or, if not available, a list of the specific third parties to whom the controller has disclosed any consumers’ personal data.
How Does the MCPA Differ from Other State Data Privacy Laws?
Profiling
The law includes new consumer rights and obligations around profiling practices. Consumers can request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision and access to the data used to reach the decision.
Data Inventory
The controller must maintain a data inventory showing what data it collects and for what purposes, and document its policies and procedures used for data security and to comply with the MCPA. Minnesota is the first state to require businesses to maintain such data inventories.
Data Retention
The new law provides that a controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under a statutory exception such as performing a contract to which a consumer is a party, fulfilling the terms of a written warranty, and others specifically listed in the MCPA.
Document Compliance and Identify Responsible Parties
The controller must “document and maintain a description of the policies and procedures that controller has adopted to comply” with the law. The description must include the name and contact information for the controller’s chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the law.
Data Protection Assessments
The MCPA requires a controller to conduct “data privacy and protection assessments” for certain processing activities, including processing personal data in connection with targeted advertising, sales of personal data, processing sensitive data, profiling that presents a heightened risk of harm to consumers, and profiling that presents certain types of foreseeable risks (e.g., unfair and deceptive treatment, financial or reputational injury, intrusion on seclusion, etc.). The controller needs to document and retain such assessments and make them available to the Minnesota Attorney General upon request.
Enforcement
The MCPA is enforceable by the Attorney General’s office. There is no private right of action. Violations of the MCPA are subject to injunctive relief and civil penalties up to $7,500 per violation. The Minnesota Attorney General is required to provide a controller or processor with notice of the specific provisions of the MCPA that it alleges have been violated and 30 days to cure the violations prior to bringing an enforcement action. This cure provision expires on January 31, 2026.
Effective Date
The law’s effective date is July 31, 2025. Post-secondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.
What Should a Business or Non-profit Do Now to Comply?
Key action items include:
- Updating website privacy notices and implementing steps to respond to individuals asserting rights under the new law.
- Creating a data inventory that details the types of personal data collected, for what purposes, and with whom data is shared.
- If necessary, preparing data protection assessments.
More information on data privacy and security laws can be found in our A Legal Guide To Privacy and Data Security.
No comments :
Post a Comment