Minnesota and Rhode Island are the latest states to pass comprehensive privacy legislation, joining a number of states who have enacted similar laws. This blog post summarizes the statutes’ key takeaways.
Minnesota
On May 19, 2024, the Minnesota legislature passed HF 4757, an omnibus bill containing a comprehensive privacy statute (“the Act”). The Act was signed into law on May 24, 2024, and takes effect on July 31, 2025. The Act resembles the comprehensive privacy statutes in Virginia and other states, though there are some notable distinctions.
- Scope and Applicability: The Act will apply to controllers that conduct business in Minnesota or produce products or services targeted to residents of Minnesota and, during a calendar year, control or process (1) the personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a transaction; or (2) the personal data of at least 25,000 consumers where the business derives 25% or more gross revenue from the sale of personal data. The Act includes a few unique exemptions, such as for insurance companies and small businesses.
- Consumer Rights: Consumers will have the rights of access (including access to a list of third parties to whom the controller has disclosed the consumer’s data, or a list of the third parties to whom the controller has disclosed any consumer’s data), deletion, portability, and correction under the Act. Moreover, the Act will provide consumers with the right to opt out of targeted advertising, the sale of personal data, and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. The Act will require controllers to develop a universal opt out mechanism by which consumers can exercise these rights. Additionally, the Act creates new consumer rights regarding profiling in furtherance of decisions that produce legal or similarly significant effects. Consumers will have the right to question the result of such profiling, to review the personal data used in such profiling, and, if the decision was based upon inaccurate personal data, to have the data corrected and the profiling decision reevaluated using the corrected data.
- Sensitive Data: The Act will require consent prior to the collection of sensitive data. “Sensitive data” includes, among other categories, racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, citizenship or immigration status, the processing of biometric data or genetic information for the purpose of uniquely identifying an individual, and specific geolocation data. The Act refers to “specific” geolocation data, unlike other state statutes which refer to “precise” geolocation data, and takes a novel approach to defining the concept, focusing on accuracy to geographic coordinate system points or street addresses rather than measuring precision in feet.
- Compliance Documentation: The Act creates a new requirement that controllers document and maintain a description of the policies and procedures the controller has adopted to comply with the Act. This requirement is broader than the compliance documentation requirement in the Colorado Privacy Act Regulations. The Act provides a list of what such documentation must cover, including the name and contact information of the controller’s chief privacy officer or other individual with primary responsibility for complying with the Act, how the controller complies with consumer rights requests, and how the controller meets its data security obligations. Also, data privacy and protection assessments must include the description of the controller’s compliance policies and procedures.
- Data Security: The Act includes the now-standard requirement that controllers “establish, implement, and maintain reasonable administrative, technical, and physical data security practices” but also requires controllers to maintain “an inventory of the data that must be managed to exercise these responsibilities.”
- Privacy Policy Changes: In addition to standard privacy policy requirements, the Act requires controllers to include a description of their personal data retention policies. Additionally, the Act requires controllers to notify consumers affected by material changes to their privacy policies and provide a reasonable opportunity to withdraw their consent.
Rhode Island
On June 28, 2024, Rhode Island enacted the Rhode Island Data Transparency and Privacy Protection Act (the “Act”). The Act resembles the comprehensive privacy laws in non-California states, though there are some notable distinctions.
- Scope and Applicability: Unlike other state laws which provide title-wide applicability provisions, the Act contains applicability provisions on a section-by-section basis. The Act’s sections generally apply to for-profit entities that conduct business in Rhode Island or that produce products or services targeted to Rhode Island residents and that during the preceding calendar year either: (1) controlled or processed the data of at least 35,000 consumers; or (2) controlled or processed the data of at least 10,000 consumers and derived more than 20% of their profit from selling personal data. However, the Act’s privacy notice requirements (or “Information Sharing Practices” requirements) apply broadly to “[a]ny commercial website or internet service provider conducting business” in the state that “collects, stores and sells customers’ personally identifiable information.”
- Consumer Rights: The Act grants consumers the rights of access, deletion, portability, and correction. Consumers may also opt-out of targeted advertising, the sale of personal data, and automated profiling in furtherance of decisions producing a legal or similarly significant effect concerning the consumer under the Act. The Act defines “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration.”
- Transparency Requirements: As noted above, the Information Sharing Practices section does not follow the Act’s general approach to applicability, and the section contains unique transparency requirements. The Information Sharing Practices section imposes transparency requirements on any commercial online provider conducting business in Rhode Island or with Rhode Island consumers regardless of size or amount of personal data collected or processed. While many of these transparency requirements track other state law transparency requirements, the Act also requires controllers to “identify all third parties to whom the controller has sold or may sell customers’ personally identifiable information.” Notably, the Act does not define “personally identifiable information,” so the applicability of this requirement is unclear.
- Sensitive Data: The Act will require controllers to obtain consent before processing a consumer’s sensitive data. The Act defines “sensitive data” as personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship or immigration status, the processing of genetic or biometric data for the purpose of uniquely identifying an individual, personal data collected from a known child, or precise geolocation data.
- DPAs: The Act requires Data Protection Assessments (“DPAs”) for processing activities that involve the processing of personal data for the purposes of targeted advertising, the sale of personal data, the processing of personal data for the purposes of profiling (in limited circumstances), and the processing of sensitive data. The Act specifies that DPAs must be conducted “using an appropriate and accepted control standard of framework and assessment procedure.”
- Enforcement: The Rhode Island Attorney General has exclusive authority to enforce the Act. The statute does not grant controllers or processors a period to cure. The Act allows for fines between $100 and $500 for each intentional disclosure (1) to a shell company formed to “circumvent the intent” of the Act or (2) in violation of any provision of the Act.
- Data Minimization and Purpose Limitation: The Act’s data minimization and purpose limitation provisions only apply to the “Controller and Processor Responsibilities” section.