The North Star State Joins the State Privacy Law Constellation
On May 19, 2024, the Minnesota Legislature passed HF 4757, an omnibus budget bill that includes the Minnesota Consumer Data Privacy Act (MNCDPA). The bill now heads to Governor Walz for signature. Developed by State Representative Steve Elkins over nearly five years and multiple legislative sessions, the MNCDPA is among the strongest iterations of the Washington Privacy Act (WPA) framework. In this blog post, we highlight nine things to know about the MNCDPA that set Minnesota apart in the state privacy law landscape. If enacted by Governor Walz, the law will take effect on July 31, 2025 for most controllers and on July 31, 2029 for postsecondary institutions regulated by the Office of Higher Education.
1. Expansive Rights Include Contesting Profiling Decisions, Identifying Specific Third Party Recipients of Personal Data, and Adolescent Privacy Protections
Like the majority of states, the MNCDPA provides core individual rights of access; correction; deletion; portability; and to opt-out of processing personal data for targeted advertising, sale of personal data, or profiling in furtherance of automated decisions that produce legal or similarly significant effects.
Minnesota is the first state, however, to offer an additional right with respect to profiling: Where an individual’s data is profiled in furtherance of decisions that produce legal or similarly significant effects, the individual has a right to contest the result of the profiling. This includes: a right to be informed of actions that could have been taken by the individual “to secure a different decision” and actions that can be taken in the future; a right to review the personal data used in the profiling; and, if that decision was based on inaccurate personal data, a right to correct that data and have the profiling decision be reevaluated. This right to contest a decision based on profiling appears to be broader than the right to opt-out of profiling, because the opt-out right applies to profiling in furtherance of automated decisions that produce legal or similarly significant effects whereas the right to contest the result of profiling applies to profiling in furtherance of decisions with such effects.
The MNCDPA also follows trends established by other states with respect to expanded individual rights. Like the Oregon Consumer Privacy Act, the MNCDPA includes a right for individuals to obtain a list of specific third parties to whom their personal data has been disclosed or, if that information is not available, a list of specific third parties to whom the controller has disclosed any individual’s personal data.
The MNCDPA also provides heightened protections for adolescents. Like the majority of state privacy laws, the MNCDPA deems the personal data of a “known child”—where a controller has actual knowledge of, or willfully disregards, that individual is younger than 13—as sensitive data, requiring opt-in consent for processing. Some states, like Oregon and New Jersey, have started adding additional protections for teenagers by changing opt-out rights to opt-ins, and Minnesota follows that trend: For targeted advertising and sale of personal data, the controller must obtain consent if the controller knows that the individual is between the ages of 13 and 16. Notably, those protections only apply where a controller “knows” the individual is between those ages, not if the controller “willfully disregards” the individual’s age. That is a departure from similar adolescent privacy protections in other states and narrows Minnesota’s adolescent privacy protections.
2. When Individuals Exercise Their Rights, Controllers Must Disclose Whether They Collected Certain Information
When an individual exercises any of their rights under the MNCDPA, controllers have an additional requirement to inform individuals “with sufficient particularity” whether the following types of information have been collected but to not disclose the information itself: (1) SSN; (2) driver’s license or government ID number; (3) financial account number; (4) health insurance account or medical identification number; (5) account password, security questions, or answers; or (6) biometric data. This obligation to inform with sufficient particularity that these types of data have been collected applies whenever an individual exercises any of their rights, not just the right to access. Given that a controller must not disclose the listed information, this provision arguably narrows the right to access with respect to these types of data, but is likely to benefit security overall and help prevent identity theft.
3. Heightened Data Security Requirements Include Inventorying Data, Documenting Compliance, and Appointing a Chief Privacy Officer
Like the majority of states, the MNCDPA requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, and integrity, and accessibility of personal data.” Minnesota goes further than other states, however, by explicitly requiring that such security practices include maintenance of a data inventory. Although this is often considered a best practice in many circumstances and is likely a standard practice amongst companies subject to such reasonable security requirements in other states, no prior state comprehensive privacy law has mandated that controllers create and maintain this kind of inventory. The bill provides no specific definition or guidance as to what this inventory should entail.
The MNCDPA also includes prescriptive requirements for controllers to “document and maintain a description of the policies and procedures the controller has adopted to comply with [the law],” including the name and contact information of the chief privacy officer or individual with primary compliance responsibility as well as a description of the policies and procedures taken to comply with the controller duties, which has many subcomponents. The implicit requirement to have a chief privacy officer or similar individual responsible for compliance is a first amongst state comprehensive privacy laws.
Another novel controller duty which will impact data security is that controllers are prohibited from retaining personal data “that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed.” This retention principle may have already been an implicit requirement under the bill’s data minimization and purpose limitation rules.
4. Novel Protections for Deidentified and Pseudonymised Data
State comprehensive privacy laws typically require that controllers who disclose de-identified or pseudonymous data “exercise reasonable oversight to monitor compliance with any contractual commitments” to which that data are subject. Consistent with the Colorado Privacy Act, the MNCDPA extends this obligation to use of such data rather than just disclosure. Additionally, the MNCDPA includes two novel protections for deidentified and pseudonymous data, providing that: (1) processors and third parties may not attempt to identify the subjects of such data without the “express authority” of the controller who deidentified or pseudonymized the data; and (2) controllers, processors, and third parties may not attempt to identify the subjects of data that was collected with only pseudonymous identifiers.
5. “Data Privacy and Protection Assessments” Introduce Expansive New DPIA Requirements
As is common under laws drafted in the WPA framework, the MNCDPA requires controllers to conduct and document assessments for certain high-risk processing activities. The MNCDPA uses the term “data privacy and protection assessment” (DPPA) rather than the more familiar terms “data protection assessments” or “data protection impact assessments” used in other states, which reflects the fact that the MNCDPA’s DPPA requirements are similar but not identical to the requirements in other states.
The triggers for conducting a DPPA are similar to those under other states: processing personal data for targeted advertising; selling personal data; processing sensitive data; conducting any processing activity that presents a heightened risk of harm to individuals; or processing personal data for profiling that presents a reasonably foreseeable risk of certain substantial injuries (e.g., unfair treatment, financial injury, etc.). Where the MNCDPA differs from other states is in its more prescriptive content requirements. DPPAs must take into account the type of personal data to be processed, whether the data are sensitive data, and the context of processing. Furthermore, the DPPA must include the description of policies and procedures which the controller is required to create (see section 2 above for a description of this requirement).
6. Minnesota Continues Maryland’s Trend of Heightening Civil Rights and Nondiscrimination Protections
State privacy laws typically prohibit controllers from processing personal data in violation of state or federal laws that prohibit unlawful discrimination. The MNCDPA contains an additional civil rights protection: Controllers may not process individuals’ personal data on the basis of their “actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the [individual or class of individuals] with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” This is similar to a prohibition in the recently enacted Maryland Online Data Privacy Act (MODPA), which prohibits controllers from processing personal data or publicly available data in a way that either unlawfully discriminates in or unlawfully makes unavailable “the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, sexual orientation, gender identity, or disability,” subject to limited exceptions.
7. Specific Geolocation Data is Defined Based on Decimals of Latitude and Longitude Instead of Feet
The majority of state comprehensive privacy laws include precise geolocation data as a category of sensitive data. Although the language varies slightly from state to state, that term is generally defined as information derived from technology that identifies an individual’s specific location (or a device linked or linkable to the individual, in Oregon), accurate within a radius of 1,750 feet or less (1,850 feet in California).
The MNCDPA includes “specific geolocation data” as a category of sensitive data, but it abandoned this foot-based standard in favor of a definition based on decimals of latitude and longitude: Specific geolocation data means “information derived from technology . . . that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.” This definition includes typically exceptions for content of communications and data generated by utility metering infrastructure or equipment, but it also includes a novel carve-out for “the contents of databases containing street address information which are accessible to the public as authorized by law.”
8. Limited Applicability to Small Businesses, Like Under the Texas Data Privacy and Security Act
The MNCDPA contains two levels of protections for small businesses. First, the law’s thresholds for applicability are relatively high. A controller is not subject to the law unless they process either (1) the personal data of 100K Minnesotans (excluding payment transactions data) or (2) generate at least 25% of their gross revenue from the sale of personal data and process the personal data of at least 25K Minnesotans. Second, small businesses, as defined by the U.S. Small Business Administration in 13 C.R.F. 121, are largely exempt from the MNCDPA. Notwithstanding this limited entity-level exemption, small businesses are prohibited from selling an individual’s sensitive data without that individual’s prior consent. The Texas Data Privacy and Security Act and the recently enacted Nebraska Data Privacy Act include similar provisions, but neither of those laws include controller thresholds on top of the small business exemption.
9. New Requirements for Privacy Notices and Assessments
The MNCDPA contains novel transparency obligations, requiring that controllers include in their privacy notice “a description of the controller’s retention policies for personal data” as well as the date the notice was last updated. The bill also details how a privacy notice should be made available: Privacy notices “must be posted online through a conspicuous hyperlink using the word ‘privacy’ on the controller’s website home page or on a mobile application’s app store page or download page,” provided via a hyperlink in an app’s settings menu or similarly conspicuous and accessible location, or, if the controller does not operate a website, made available “through a medium regularly used by the controller” to interact with individuals. Controllers are not required to provide a Minnesota-specific notice if their general privacy notice contains all the required information.
