Minnesota Enacts Comprehensive Data Privacy Law

On May 24, Governor Tim Walz signed into law the Minnesota Consumer Privacy Act (H.F. 4757) (the “MCPA”), which takes effect July 31, 2025.

Minnesota joins the many other states who have now passed laws similar to the California Consumer Privacy Act, granting enhanced data privacy rights to individuals. In the absence of a comprehensive federal privacy law, businesses and organizations that handle personal data must comply with multiple federal, state, and sometimes global data privacy laws.

States with data privacy laws now include California, Connecticut, Colorado, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia.

Is Your Business Ready for 2024 and the New Data Privacy Laws?

I have the perfect tool to get you started.

Our popular 2024 Legal Guide to Privacy and Data Security is now available. This guide is a collaborative effort between Lathrop GPM and the Minnesota Department of Employment and Economic Development (DEED). You can find a digital version here. You can also get an old school paper version by contacting me here.

The guide is written for non-lawyers and offers insight into a variety of privacy and data security related laws, the impact of such laws on businesses, and best practices to mitigate risks.

New GDPR Adequacy Decision for the EU-US Data Privacy Framework

According to the General Data Protection Act (GDPR), transfer of personal data to a country outside the EU can only take place where the recipient country ensures an adequate level of protection for the rights of EU data subjects.

Until recently, the European Commission had deemed the United States to have inadequate data privacy and security protections and required businesses to find legal mechanisms to allow for such cross border transfer of data. That has now changed. On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework. The adoption of this adequacy decision follows years of intense negotiations between the EU and the U.S., after the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield that had earlier been in place.

2023 Legal Guide to Privacy and Data Security

The 2023 Legal Guide to Privacy and Data Security is now available. This Guide is a collaborative effort between Lathrop GPM and the Minnesota Department of Employment and Economic Development (DEED). A digital version of the 2023 Legal Guide to Privacy and Data Security can be downloaded here.

The guide is written for non-lawyers and offers insight into a variety of privacy and data security-related laws, the impact of such laws on businesses, and best practices to mitigate risks.

We prepared the first version of this guide in 2014. Since then, DEED has published seven updated editions. The frequency of these updates is evidence of the ever-evolving legal landscape of data privacy and security.

New developments in 2023 include amendments to the Safeguards Rule of the Gramm Leach Bliley Act, which became effective October 27, 2022. These amendments expand the definition of financial institutions covered by the law and impose new burdensome requirements related to data security. Motor vehicle dealers and colleges are just two examples of non-banking “financial institutions” that now fit the expanded definition of so-called “finders” and are required to implement and maintain a comprehensive data security system that protects customer information.

What Do California, Virginia, Colorado, Connecticut and Utah Have in Common? New Data Privacy Laws That Take Effect in 2023

Are you ready for the California Privacy Rights Act (CPRA)?

The CPRA, which becomes effective January 1, 2023, is essentially an extension and amendment of the California Consumer Privacy Act (CCPA). In my last blog post, I wrote about the first CCPA enforcement action by the California Attorney General, which resulted in a $1.2 million settlement with Sephora Now the CPRA has created a new well-funded California Privacy Protection Agency (CPPA), which will likely to be far more aggressive in bringing actions than the California Attorney General’s Office has been.

Other states have followed California and passed more stringent data privacy laws. Virginia’s Consumer Data Protection Act also goes into effect January 1, 2023. The Colorado Privacy Act becomes effective July 1, 2023, as does the new data privacy law in Connecticut. Utah’s Consumer Privacy Act becomes effective December 31, 2023.

First CCPA Enforcement Action by the California AG – Lessons Learned

The California Privacy Rights Act (CPRA) and other new state data privacy laws are set to take effect in 2023. If you needed an incentive to review your compliance obligations, the California Attorney General recently provided one in its $1.2 million settlement of an enforcement action under the California Consumer Privacy Act (CCPA), upon which the CPRA expands. Anyone with an e-commerce website should take heed.

Summary of the Enforcement Action. According to the California AG, Sephora, a French cosmetics brand, failed to disclose to consumers it was “selling” (a broadly defined term under the CCPA) their personal information; failed to honor user requests to opt out of sales via a user-enabled Global Privacy Control; and failed to cure these violations within the 30-day period allowed by the CCPA. In addition to the settlement amount, Sephora promised to report to the AG on its changes to its privacy regimen for a period of two years.

The Russians Are Coming! The Russians Are Coming? Or Maybe the FTC

As we watch the televised Russian invasion of Ukraine with horrific destruction and casualties caused by missiles, tanks, and other conventional warfare, the hostilities may seem far away and distant. As Russia continues to suffer setbacks in their conventional military approach, we are likely to see cyberattacks that could spread beyond the Russian-Ukrainian conflict.

In a meeting with business leaders on March 21, Joe Biden gave the following warning:

“This is a critical moment to accelerate our work to improve domestic cybersecurity and bolster our national resilience. I have previously warned about the potential that Russia could conduct malicious cyber activity against the United States, including as a response to the unprecedented economic costs we’ve imposed on Russia alongside our allies and partners. It’s part of Russia’s playbook. Today, my administration is reiterating those warnings based on evolving intelligence that the Russian Government is exploring options for potential cyberattacks…….

If you have not already done so, I urge our private sector partners to harden your cyber defenses, immediately implementing the best practices we have developed together over the last year. You have the power, the capacity, and the responsibility to strengthen the cybersecurity and resilience of the critical services and technologies on which Americans rely. We need everyone to do their part to meet one of the defining threats of our time — your vigilance and urgency today can prevent or mitigate attacks tomorrow.”

Musings of a Privacy Professional

I am pleased to announce publication of the 2022 version of the Lathrop GPM Legal Guide to Privacy and Data Security.

The Guide can be downloaded from the Minnesota Department of Employment and Economic Development website here or our law firm website.

The purpose of the Guide, a collaborative effort of Lathrop GPM and the State of Minnesota, is to help businesses and organizations navigate the legal issues related to privacy and data security. The Guide covers the key federal, state, and global privacy laws, as well as best practices.

While we have not yet seen a comprehensive federal data privacy law, Virginia and Colorado followed California in passing new data privacy laws in 2021. Other states have legislative initiatives underway, and we are likely to see more states enacting data privacy laws this year. Any business that collects personal information of Colorado, Virginia, or California residents will want to become familiar with these new laws.

Have You Been Stung by the Privacy Bee?

Privacy Bee, and other so-called privacy advocate organizations, have been sending thousands of data access and deletion requests invoking the California Consumer Privacy Act (“CCPA”). They assert such rights on behalf of individual consumers pursuant to a power of attorney authorized by the CCPA. In many cases these individual consumers have had no interaction with the business. 

Here is a sample of such a request from Privacy Bee:

I am hereby submitting a personal data request pursuant to Section 1798.105 of CCPA (SB-1121), Article 17 of GDPR, Nevada SB-220, New Hampshire HB 1680-FN, Washington Privacy SB-5376, Illinois DTPA SB2330, New York S5462, Hawaii SB 418, North Dakota HB 1485, Massachusetts S-120, Maryland SB 613, Texas Privacy Protection Act HB 4390, or other applicable right-to-be-forgotten legislation. If you feel my data is exempt from privacy legislation for any reason, I'm still asking you to respect my wishes regardless, as I believe privacy is a universal human right and I'm hopeful the integrity of your organization will honor my request with or without legal requisite.

The Ever-Changing Data Privacy Legal Landscape

It seems like a week does not go by without some new law or guidance that requires me to re-evaluate the advice given to businesses on how to comply with the ever-changing data privacy laws. 

Just as businesses were getting accustomed to the new compliance requirements imposed by the General Data Protection Regulation (GDPR), California surprised everyone and enacted the 2018 California Consumer Privacy Act (CCPA), which I discussed in this post. Businesses were quick to update privacy policies and implement new systems and processes to comply with both the GDPR and CCPA. Data subject access requests, known as DSAR’s, kept lawyers like myself and other compliance professionals busy.

The EU considers current USA data privacy protection safeguards as inadequate; as a result, a business cannot collect and process data of resident of the EU on a server based in the USA without finding some GDPR approved legal mechanism. When the so-called Privacy Shield was invalidated in July 2020 by the European Commission, businesses lost a popular safe harbor and were left with Standard Contractual Clauses (SCC’s) as a GDPR approved legal mechanism to permit the cross-border transfer of personal data from EU residents.

• Then, on June 4, 2021, the European Commission adopted new SCC’s which, once again, will require businesses to re-evaluate their data processing activities.
• In 2021 we have already seen Virginia and Colorado join California and pass their own versions of data privacy laws. 
• On June 24 Connecticut passed a new cybersecurity law that provides incentives to businesses who implement reasonable data security.

It seems inevitable that other states will follow with their own flavor of data privacy rights for their residents. Each of these new state laws have similarities and differences that can make compliance a real challenge. While we can all hope for a comprehensive federal data privacy law that might allow businesses and their legal counsel to craft practical compliance programs, Congress is not likely to pass such a law anytime soon. 

Virginia Joins California in Consumer Rights Protection

Enhanced data privacy rights are coming your way. The Europeans started it with the GDPR in 2018, followed soon thereafter by California’s California Consumer Privacy Act (CCPA).

As businesses focused on GDPR and CCPA compliance, California voters passed an initiative and a new law known as the California Privacy Rights Act (CPRA) that takes effect January 1, 2023.

The newest kid on the block is Virginia, with Governor Northam signing into law the Virginia Consumer Data Protection Act (CDPA) on March 1, 2021. It takes effect the same day as the CPRA — January 1, 2023. 

Not many were paying attention as the CDPA flew through the Virginia Legislature, passing by overwhelming margin in fewer than two months. Similar privacy legislation has been introduced in other states including Washington, Colorado, Connecticut, and Minnesota.  

What are the implications of the CDPA and how is it different than the CCPA or CPRA? 

The Virginia law differs from the California approach and adds a few operational challenges for businesses, including:

• A broader affirmative consent or opt-in requirement to process sensitive personal data. 
• A broader opt-out right of processing personal data that covers not only sales of personal data, but also targeted advertising and profiling decisions that produce legal or similarly significant effects.
• Similar to the GDPR, mandatory data protection assessments are required for sales, targeted advertising, and profiling, including profiling that presents a reasonably foreseeable risk of unfair or deceptive treatment. 
• The roles of controllers and processors are defined with specific processor role-based requirements and obligations to provide assistance to and adhere to the controller’s instructions and to demonstrate compliance with processor obligations. 

Are You Ready for a New Canadian Privacy Law?

As if we weren’t already confused by COPPA, CCPA, and CPRA, we may soon welcome CCPA as the newest addition to the “A-C-P” alphabet soup of data privacy laws.

Here is a primer to avoid confusion:

COPPA = Children’s Online Privacy Protection Act 

CCPA = California Consumer Privacy Act

CPRA = California Privacy Rights Act 

CPPA = Consumer Privacy Protection Act 

On Nov. 17, 2020, Canada’s federal government introduced a bill to enact new legislation to strengthen data privacy protections for individuals. The proposed legislation, known as the Consumer Privacy Protection Act (CPPA), would be the first major overhaul of Canada’s privacy laws since the Personal Information Protection and Electronic Documents Act (PIPEDA) became effective in April 2000. If passed, CPPA will provide data privacy rights to individuals similar to those afforded under the European Union’s General Data Protection Regulation (GDPR), the CCPA, and CPRA. 

CPPA will bring significant changes to PIPEDA including:

Enhanced Individual Rights: The CPPA would expand the rights of Canadian consumers in relation to how organizations collect and process their data. Similar to GDPR, consumers will have the right to request deletion of their personal data and to withdraw consent for any further use of their information. Consumers will also have the right to request transfer of their data from one organization to another. Businesses will be required to transparently describe to individuals any use of an automated decision system — such as algorithms and artificial intelligence — to make predictions, recommendations, or decisions about individuals that could have a significant impact on them. Individuals will also have the right to request an explanation as to how information about them was obtained as well as how any prediction, recommendation, or decision was made by an automated decision-making system.  

What Is an ATDS and Why Should I Care?

The Supreme Court had more on its plate last week than considering how to respond to election fraud claims made by Donald Trump. On December 8, the court heard oral arguments in Facebook Inc. v. Duguid, a case that has been anticipated by many who have had to determine what they could do when using phone calls or texts to reach customers.

For 10 months, Facebook sent text messages to Noah Duguid, without his consent, alerting him that someone was trying to access his Facebook account. An account Noah did not even have. Noah Duguid sued Facebook.

Such phone calls or texts are governed by the Telephone Consumer Protection Act of 1991 (TCPA), one of the few privacy-related laws that allow for a private right of action. Multi-million dollar lawsuits have stymied businesses who have failed to comply with the consent requirements of the TCPA.

At issue in Facebook Inc. v Duguid, is whether the TCPA definition of an “automatic telephone dialing system” (ATDS) encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “use a random or sequential number generator.”

Facebook argued that the equipment it used to send the text messages to Noah was not an ATDS and it was therefore not in violation of the TCPA. Facebook also contended its First Amendment rights would be violated if it were found liable.  

LET THE LAWSUITS BEGIN. ARE YOU READY FOR CCPA 2.0?

My last post discussed the California Consumer Privacy Act (CCPA), the importance of getting ready
for enforcement by the California Attorney General beginning last July 1, and the likelihood of lawsuits under the CCPA’s “first of its kind” private right of action.

We have not yet seen any government enforcement actions by the California Attorney General’s Office, but warning notices have apparently been sent to businesses alleging violations of the CCPA. While the content of these notices is confidential, Stacey Schesser, California’s supervising deputy AG, shared some information at an International Association of Privacy Professionals event in July. According to Schesser, the letters mainly targeted businesses that were missing key privacy disclosures (such as a “Do Not Sell” link) on their websites or weren’t properly responding to consumer rights requests, including those relating to the right of access or deletion. The CCPA allows a business 30 days to cure its violation before the AG takes any action.

While waiting for government enforcement actions, we have seen at least 34 class actions filed under the CCPA, including one against Walmart. The retail giant was allegedly hacked, resulting in credit card information of Walmart customers being sold on the dark web where criminals and fraudsters operate with relative impunity.

Are You Ready for July 1 CCPA Enforcement?

If you are a privacy geek like me, you circled July 1, 2020, on your calendar the same way you circled May 25, 2018. (Actually, I put a note in my Microsoft Outlook calendar.)

On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect with significant new data privacy rights and protections for EU residents. Since 2016 I had been sending out client alerts, writing blog posts, hosting webinars, speaking, and warning of the coming enforcement date. Businesses began feeling fatigue from the endless webinars and articles on the GDPR. Yet, as we got closer to May 2018, my clients became more and more interested in what GDPR meant for their businesses. 

Unfortunately for businesses with potential GDPR compliance issues, it was difficult to implement compliance measures quickly and efficiently. What were these businesses doing for the two years leading up to May 2018? 

On June 28, 2018, just a few weeks after the GDPR took effect, the California Consumer Privacy Act (CCPA) was signed into law by Governor Brown with an effective date of January 1, 2020. 

Many businesses have already taken important steps to comply with the CCPA by updating their website privacy policies and upgrading data security systems, processes, and policies. I am also seeing a significant uptick in CCPA related calls and emails as we get closer to July 1, the date by which the California Attorney General was required to adopt regulations implementing the CCPA. 

So how real is this July 1 enforcement date? 

USING E-COMMERCE TO SURVIVE COVID-19

Businesses have been forced to close their brick and mortar stores. We are all practicing safe distancing. People are working remotely. COVID-19 has already had a significant impact on how we conduct business. 

While the digital transformation was well underway before COVID-19, the transition to more vigorous and expansive e-commerce has never been more apparent. Amazon was set to hire over 100,000 new employees by April 1. Zoom has replaced all face-to face business meetings. Virtual interactions are the new norm. 

Nearly all companies now use some form of online or mobile websites and social media to promote their businesses, sell goods or services, conduct business transactions, and connect and communicate with customers, clients, or other businesses. 

For businesses that already enjoyed a robust e-commerce presence, now is a good time to review and enhance e-commerce strategies. For those businesses with a limited or non-existent online presence, their very survival may require a fresh look at e-commerce.

Will 2020 See a Comprehensive Federal Privacy Law?

I just finished presenting my second webinar on the new California Consumer Privacy Act (CCPA), which becomes effective January 1, 2020.  Not a lot of time left to get ready.

Businesses are frantically performing data mapping to find out what personal information they collect on California residents and for what purposes, revising their website privacy policies, implementing data security safeguards, reviewing vendor agreements, creating new procedures to respond to consumer requests for access to or deletion of data, purchasing cybersecurity insurance, and other activities necessary to comply with the CCPA.

Many are fearful of the lawsuits likely to follow as a result of the CCPA’s private right of action and provision for statutory damages of up to $750 per incident in the event of a data breach. If records of 50,000 California residents are involved in a data breach, and the business failed to have reasonable data security in place to protect against the breach, a potential claim under the CCPA could exceed $37.5 million. What’s more, under the CCPA, a plaintiff’s lawyer does not need to show any actual harm to an individual caused by such a data breach.  

This private right of action — and potential class action lawsuits enabled by this right — are scary.  

Similar to the CCPA, the Illinois Biometric Information Privacy Act (BIPA) — that regulates the collection, capture, and storage of biometric identifiers such as fingerprints, voiceprints, and retina/iris scans — also provides for a private right of action. Under the BIPA, a person can recover liquidated damages of up to $5,000 or actual damages, whichever amount is greater, for an intentional or reckless violation of the BIPA. In 2019 alone, there have already been over 160 class actions filed asserting BIPA violations. The Telephone Consumer Protection Act (TCPA) is another privacy related law with a private right of action that has led to an explosion of private lawsuits and multi-million dollar settlements. 

With statutory damages, private rights of action, and no need to allege or prove any actual injury or harm, BIPA, TCPA, and now the CCPA are open invitations to plaintiffs’ lawyers looking for potentially lucrative class actions.

Alastair Mactaggart Joins My Privacy Hall Of Fame

“I just think the data use by these companies is out of control”

--Alastair Mactaggart, California Real Estate Developer

Who is Alastair Mactaggart? He has done more than any other person to expand the privacy rights of individuals in the United States. In 2016, Mactaggart, who earned a fortune in Bay Area real estate, was talking with a Google employee about the amount of personal information collected by companies. This casual conversation led him to fund a citizens initiative that was set to appear on the November 2018 ballot in California. It would have given California residents extensive new rights to control how their data is collected and used by businesses. Following intensive lobbying by tech groups the ballot initiative was withdrawn by Mactaggart and in its place the California legislature (in less than a week) passed the California Consumer Privacy Act (CCPA). Effective January 1, 2020 the CCPA becomes the most extensive consumer privacy legislation ever passed in the United States. It gives Californians sweeping new data privacy rights, including a first-of-its-kind private right of action that will encourage lawsuits against businesses who fail to comply with the data breach portion of the CCPA. What a difference one person (with a lot of money) can make.

Musings of a Privacy Professional

My random hopes, fears, thoughts, predictions, advice, and personal observations on GDPR, CCPA, NSA, and other privacy and data security matters:

• Despite the intense lobbying efforts of tech companies and others, Congress — fearful of the California Consumer Privacy Protection Act (CCPA), which becomes effective January 1, 2020 — will not pass a new comprehensive federal privacy and data security law this year.
• Plaintiffs’ lawyers will start gearing up for the class action lawsuits they hope to bring under the CCPA. Lawyers who have already benefited enormously from the Telephone Consumer Protection Act (TCPA) private right of action for noncompliant text messages and robo calls will likely add this new lucrative specialty to their practices.
• Regarding the General Data Protection Regulation (GDPR), fatigue has set in and, except for one large fine against Google, we have seen limited enforcement actions by the Europeans. Expect to see more actions against companies who have failed to comply with GDPR requirements regarding transparency, data breach, cross-border data transfer, and data access requests. It is never too late to consider a GDPR compliance review.

TIME FOR A FEDERAL DATA PRIVACY LAW?

In Europe, privacy is considered a fundamental human right. If you are collecting, using, or sharing personal information of a European resident, you will likely have to comply with the General Data Protection Regulation (GDPR) that became effective May 25, 2018. This single comprehensive omnibus law covers all industries and sectors and applies to all member countries. Penalties for noncompliance can be severe.

The United States does not have a single comprehensive privacy law. Instead, the United States has a patchwork of federal and state laws and has taken a sectoral approach to regulating data privacy. We have laws specific to industries and type of information such as health care, financial services, telemarketing, student records, and the online collection, use, and disclosure of information from children. States enact their own laws including data breach notification laws that now exist in all 50 states. A business that experiences a data breach must comply with the state law where each individual resides.

Great for lawyers, but terrible for businesses trying to figure out compliance obligations imposed by differing state and federal standards and laws regarding data privacy and breach notification.