5 Privacy Trends for 2025: What to Watch For
Heraclitus said that “The only constant in life is change,” but...
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: September 7, 2024
Published: July 12, 2024
As we wait for a federal privacy law in the U.S., the Land of 10,000 Lakes joins a growing number of states that now have their own laws. As expected, Minnesota’s data privacy law has similarities to other state privacy laws and also a few differences—most notably unique requirements around profiling and data inventories.
Here, we’ll dive into the basics of the Minnesota Consumer Data Privacy Act (MCDPA) and what businesses need to keep in mind to comply with the law.
The MCDPA is a state-level legislation designed to safeguard the personal data of Minnesota residents. Rather than permit organizations to collect, process, and generally do whatever they wish with consumers’ personal information, data privacy regulations like the MCDPA:
Officially enacted on May 24, 2024, the MCDPA will take effect on July 31, 2025. Once that happens, businesses will need to comply or potentially suffer penalties and fines from the state Attorney General.
Note: Some authors mistakenly use the MCDPA acronym to refer to Montana’s data privacy law, the Montana Consumer Data Privacy Act, or MTCDPA. When researching your compliance requirements, make sure you’re reviewing the right law.
The MCDPA applies to organizations that provide products or services targeted at Minnesotans and meet one of the following criteria:
As is the case with most data privacy laws, the definition of “sale” includes both selling data for money and “other valuable considerations.”
The Minnesota Consumer Data Privacy Act provides consumers with similar rights to other state privacy laws.
One standout right offered by the MCDPA is that it allows consumers to question the results of profiling and automated decision-making. For businesses, the takeaway is that they should have a solid understanding of how any algorithms, AIs, or other automated systems reach decisions, particularly if those systems rely on personal information and result in some legally recognizable effect for a consumer.
What constitutes a “legal effect” is broad—in essence, it’s something that impacts an individual’s rights. That could be automatically rejecting a credit application or a job application.
The Minnesota Consumer Data Privacy Act includes the usual roster of exemptions, both in terms of entities and data that are not held to its requirements.
The MCDPA categorizes certain types of personal information as “sensitive” and therefore warrants heightened protection, including:
This is a standard list of sensitive personal information categories seen in other state laws, but Minnesota’s law does have a unique feature: If a consumer makes a subject rights request for access or knowledge, businesses aren’t permitted to actually disclose certain types of sensitive information, including:
Instead, businesses need only to notify consumers that the above information has been collected.
Organizations subject to the MCDPA must conduct privacy impact assessments (PIAs) for certain activities. To confirm compliance, the state Attorney General may review these assessments. Specifically, organizations need to conduct PIAs for any processing activities involving:
Earlier, we called out the special right that the MCDPA gives consumers regarding their ability to question the results of profiling. Given that there’s also a requirement to conduct a PIA for profiling, you may be wondering exactly how the law defines this activity. Here’s what the statute says:
“Profiling” means any form of automated processing of personal data to evaluate,
analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
Conceivably, many business activities could fall under this definition—make sure you’ve taken stock of the data processing activities in which your organization partakes and that you’ve considered whether they meet this definition. Fortunately, the MCDPA also features a unique requirement that will make it easier for you to assess your data processing activities: a data inventory requirement.
Data inventories and data maps are a best practice for compliance with any comprehensive data privacy law, but until recently, they weren’t a strict requirement. The MCDPA bucked that trend by explicitly listing data inventories as a required security practice.
(In truth, data inventories aren’t so much about “security,” per se, as they are about facilitating privacy compliance, but that’s how the law framed them.)
As to how to inventory or map your data, we have lots to say about what data mapping is and how to go about generating your first data map–more than can fit in this article. If you want to learn more about data mapping best practices, check out our blog, Data Mapping 101: A How-to Guide.
The Minnesota data privacy law is enforceable by the state Attorney General. Specifically, the Minnesota AG may require violators to take injunctive relief and pay up to $7,500 per violation. The MCDPA also provides a 30-day right to cure before any enforcement action becomes effective, though this provision expires on January 31, 2026.
MCDPA compliance requires many of the fundamentals that a privacy professional will be familiar with: consent management, subject rights request management, and privacy notices and policies.
For the MCDPA, however, there are two standout requirements that privacy professionals will want to pay special attention to:
Given that the state attorney general can ask for PIAs at any time, you’ll want to make sure you know when and how to carry them out—especially if you conduct any profiling activities. You’ll need to describe how such activities generate their outputs upon consumer request, and the statute explicitly calls out these activities as requiring PIAs.
Rather than improvise assessments and conduct them on an ad hoc basis, consider operationalizing your assessment process. For example, the assessments functionality in the Osano data platform guides you through the assessment process and stores assessments in a centralized location.
While generating a robust data map is an acknowledged best practice, it hasn’t been a requirement until the MCDPA. And many organizations still have limited data inventories or no data inventory at all.
Osano’s data mapping capability guides you through the process, providing a visual representation of your data inventory, data flows, and essential metadata needed to facilitate compliance activities (like where assessments might be needed). It also facilitates hassle-free migration of your data from a spreadsheet or other platform.
To learn more about streamlining both assessments and data mapping to comply with the MCDPA, as well as improving other data privacy management, schedule a demo of Osano today.
Organizations subject to the MCDPA must honor opt-out requests sent by a universal opt-out mechanism (UOOM) for targeted advertising or any sale of personal data.
The MCDPA is set to take effect on July 31, 2025
Violators of the MCDPA must pay $7,500 per violation unless the violation is cured within 30 days of notice. The right to cure, however, expires on January 31, 2026.
The MCDPA lists the following as sensitive data: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, data collected from a known child, and specific geolocation data.
Need guidance on how to navigate the U.S. data privacy landscape? Our guide provides all the information you need to know to get and stay compliant.
Download Now
Matt Davis is a writer at Osano, where he researches and writes about the latest in technology, legislation, and business to spread awareness about the most pressing issues in privacy today. When he’s not writing about data privacy, Matt spends his time exploring Vermont with his dog, Harper; playing piano; and writing short fiction.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.