Minnesota was the nineteenth state to pass a comprehensive data privacy law, the Minnesota Consumer Privacy Act (H.F. 4757) (MCPA), which becomes effective on July 31, 2025.
While we continue to see more of these laws popping up across the country, one of the most important analyses that a business can do when these new laws are passed is to 1) determine if they apply to their business and 2) understand the variations from other existing laws currently in effect (especially if the business already complies with those laws).
The MCPA applies to companies that conduct business in Minnesota or produce products or ser-vices targeted to Minnesota residents and that satisfy one or more of the following:
- Control or process the personal information of at least 100,000 Minnesota consumers (excluding payment transactions), or
- Derive over 25% of gross revenue from the sale of personal information and processes or controls the personal data of at least 25,000 Minnesota consumers.
How is this new law different than other state consumer privacy laws? The law includes new consumer rights and business obligations around profiling practices. Consumers have the right to request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision. Consumers can also request access to the data used to make that decision.
Additionally, Minnesota also requires businesses to maintain data inventories: “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.”
Retention is addressed by the MCPA; a business may only retain personal information for as long as the data is relevant and reasonably necessary to fulfill the purpose for which it was collected.
Businesses must also document compliance; a business must “document and maintain a description of the policies and procedures that controller has adopted to comply.” The documentation must include the name and contact information for the entity’s chief privacy officer or other individual with primary responsibility for overseeing the policies and procedures implemented to comply with the MCPA.
After Minnesota, Rhode Island also passed a consumer privacy rights law. Be on the lookout for the rest of the country to follow along.