Articles

Minnesota Consumer Data Privacy Act (MCDPA): Everything You Need to Know

Written by Matt Davis, CIPM (IAPP) | July 12, 2024

As we wait for a federal privacy law in the U.S., the Land of 10,000 Lakes joins a growing number of states that now have their own laws. As expected, Minnesota’s data privacy law has similarities to other state privacy laws and also a few differences—most notably unique requirements around profiling and data inventories. 

Here, we’ll dive into the basics of the Minnesota Consumer Data Privacy Act (MCDPA) and what businesses need to keep in mind to comply with the law.  

What Is the MCDPA? 

The MCDPA is a state-level legislation designed to safeguard the personal data of Minnesota residents. Rather than permit organizations to collect, process, and generally do whatever they wish with consumers’ personal information, data privacy regulations like the MCDPA:  

  • Set limits on what organizations can do with personal data 
  • Require organizations to meet certain obligations, like setting safeguards, assessing for risk, and respecting consumer rights 
  • Provide consumers with data privacy rights that enable them to maintain control over their personal information 

Officially enacted on May 24, 2024, the MCDPA will take effect on July 31, 2025. Once that happens, businesses will need to comply or potentially suffer penalties and fines from the state Attorney General. 

Note: Some authors mistakenly use the MCDPA acronym to refer to Montana’s data privacy law, the Montana Consumer Data Privacy Act, or MTCDPA. When researching your compliance requirements, make sure you’re reviewing the right law. 

MCDPA Thresholds: Who Must Comply? 

The MCDPA applies to organizations that provide products or services targeted at Minnesotans and meet one of the following criteria: 

  • During a calendar year, they control or process the personal data of 100,000 consumers or more. 
  • They derive more than 25 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. 

As is the case with most data privacy laws, the definition of “sale” includes both selling data for money and “other valuable considerations.” 

Consumer Rights Granted by the Minnesota Data Privacy Law  

The Minnesota Consumer Data Privacy Act provides consumers with similar rights to other state privacy laws. 

  • Right to Know: Consumers have the right to know what categories of personal data are being collected about them by businesses.  
  • Right to Access: Consumers can request access to their personal data, and businesses must provide consumers with a copy of their personal data upon request, free of charge, and in a format that is easily accessible. 
  • Right to Obtain a List of Third Parties: As is the case with Oregon’s data privacy law, the MCDPA gives consumers the right to obtain a list of the specific third parties to which the controller has disclosed their personal data. 
  • Right to Correction: If a consumer discovers an organization has inaccurate or incomplete personal information, they may request that it be corrected. 
  • Right to Deletion: Unless the personal information is necessary for specific purposes, such as completing a transaction or complying with legal obligations, organizations must delete a consumer’s personal information upon their request. 
  • Right to Opt-Out: Consumers have the right to opt out of certain processing activities, specifically targeted advertising; the sale of personal data; or profiling that results in automated decisions that produce legal effects for the consumer. 
  • Right to Question Results of Profiling: If a consumer has been profiled, they may question the results of the profiling. If this right is exercised, organizations must inform the consumer how the results were reached and what actions the consumer could have taken to achieve a different result. 
  • Right to Non-Discrimination: Businesses may not discriminate against consumers who exercise their rights. 
  • Right to Data Portability: Consumers may have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another entity without hindrance from the business. 
  • Right to Appeal: If businesses refuse to act on a request, consumers may appeal that decision. 

One standout right offered by the MCDPA is that it allows consumers to question the results of profiling and automated decision-making. For businesses, the takeaway is that they should have a solid understanding of how any algorithms, AIs, or other automated systems reach decisions, particularly if those systems rely on personal information and result in some legally recognizable effect for a consumer. 

What constitutes a “legal effect” is broad—in essence, it’s something that impacts an individual’s rights. That could be automatically rejecting a credit application or a job application. 

Exemptions to the Minnesota Data Privacy Act  

The Minnesota Consumer Data Privacy Act includes the usual roster of exemptions, both in terms of entities and data that are not held to its requirements.  

  • Small Businesses: Unlike most state data privacy laws, small businesses (as defined by the Small Business Association) are exempt from the MCDPA. They must still secure a consumer’s explicit, opt-in consent before selling sensitive information, however. 
  • Data-Level Exemptions: If your organization processes data that is already governed by certain regulations, that data does not need to be handled in a manner compliant with the MCDPA. This includes regulations such as the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA), the Drivers' Privacy Protection Act, the Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and the Farm Credit Act. Note that this only applies to the data—not the entity. Other state laws exempt entire organizations if they handle data covered by HIPAA, for example, even if they handle other data that isn’t covered by HIPAA. The MCDPA says such data is still subject to regulation. 
  • Publicly Available Information: MCDPA does not apply to personal data that is lawfully made available from federal, state, or local government records or from widely distributed media. 
  • Employee and Benefits Administration Data: Typical of most U.S. data privacy laws, personal data collected in the context of an employment relationship is exempt. 
  • Nonprofits: Specifically, the MCDPA exempts nonprofits that are established to detect and prevent insurance fraud. 
  • Other Legal Obligations: If compliance with an MCDPA requirement would conflict with other federal or state laws providing equal or greater protection for consumer data, then your organization may be exempt. 

Sensitive Data Under the MCDPA  

The MCDPA categorizes certain types of personal information as “sensitive” and therefore warrants heightened protection, including:  

  • Racial or ethnic origin 
  • Religious beliefs 
  • Mental or physical health diagnosis 
  • Sexual orientation 
  • Citizenship or immigration status 
  • Genetic or biometric data 
  • Data collected from a known child 
  • Specific geolocation data  

This is a standard list of sensitive personal information categories seen in other state laws, but Minnesota’s law does have a unique feature: If a consumer makes a subject rights request for access or knowledge, businesses aren’t permitted to actually disclose certain types of sensitive information, including:  

  • Social Security numbers  
  • Driver’s license or other identification numbers  
  • Financial account numbers  
  • Health insurance account numbers  
  • Account login information 
  • Biometric data   

Instead, businesses need only to notify consumers that the above information has been collected. 

MCDPA: Privacy Impact Assessments (PIAs)  

Organizations subject to the MCDPA must conduct privacy impact assessments (PIAs) for certain activities. To confirm compliance, the state Attorney General may review these assessments. Specifically, organizations need to conduct PIAs for any processing activities involving: 

  • Targeted advertising 
  • The sale of personal data 
  • The processing of sensitive data 
  • Any processing of personal data that may pose a heightened risk of harm to consumers 
  • Profiling that poses a risk of unfair/deceptive treatment of consumers, injury to consumers (i.e., financial, physical, or reputational injury), any intrusion on the consumer’s solitude, or other substantial injury 

Earlier, we called out the special right that the MCDPA gives consumers regarding their ability to question the results of profiling. Given that there’s also a requirement to conduct a PIA for profiling, you may be wondering exactly how the law defines this activity. Here’s what the statute says: 

“Profiling” means any form of automated processing of personal data to evaluate, 
analyze, or predict personal aspects related to an identified or identifiable natural person's economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. 

Conceivably, many business activities could fall under this definition—make sure you’ve taken stock of the data processing activities in which your organization partakes and that you’ve considered whether they meet this definition. Fortunately, the MCDPA also features a unique requirement that will make it easier for you to assess your data processing activities: a data inventory requirement. 

First of Its Kind: MCDPA’s Requirements for Data Inventories 

Data inventories and data maps are a best practice for compliance with any comprehensive data privacy law, but until recently, they weren’t a strict requirement. The MCDPA bucked that trend by explicitly listing data inventories as a required security practice. 

(In truth, data inventories aren’t so much about “security,” per se, as they are about facilitating privacy compliance, but that’s how the law framed them.) 

As to how to inventory or map your data, we have lots to say about what data mapping is and how to go about generating your first data map–more than can fit in this article. If you want to learn more about data mapping best practices, check out our blog, Data Mapping 101: A How-to Guide. 

MCDPA Enforcement 

The Minnesota data privacy law is enforceable by the state Attorney General. Specifically, the Minnesota AG may require violators to take injunctive relief and pay up to $7,500 per violation. The MCDPA also provides a 30-day right to cure before any enforcement action becomes effective, though this provision expires on January 31, 2026. 

How to Comply With the MCDPA  

MCDPA compliance requires many of the fundamentals that a privacy professional will be familiar with: consent management, subject rights request management, and privacy notices and policies.  

For the MCDPA, however, there are two standout requirements that privacy professionals will want to pay special attention to:  

PIA Processes 

Given that the state attorney general can ask for PIAs at any time, you’ll want to make sure you know when and how to carry them out—especially if you conduct any profiling activities. You’ll need to describe how such activities generate their outputs upon consumer request, and the statute explicitly calls out these activities as requiring PIAs.  

Rather than improvise assessments and conduct them on an ad hoc basis, consider operationalizing your assessment process.  For example, the assessments functionality in the Osano data platform guides you through the assessment process and stores assessments in a centralized location. 

Data Mapping 

While generating a robust data map is an acknowledged best practice, it hasn’t been a requirement until the MCDPA. And many organizations still have limited data inventories or no data inventory at all.  

Osano’s data mapping capability guides you through the process, providing a visual representation of your data inventory, data flows, and essential metadata needed to facilitate compliance activities (like where assessments might be needed). It also facilitates hassle-free migration of your data from a spreadsheet or other platform. 

To learn more about streamlining both assessments and data mapping to comply with the MCDPA, as well as improving other data privacy management, schedule a demo of Osano today.  

MCDPA: FAQs 

What Does the MCDPA Say About Universal Opt-Out Mechanisms (UOOMs)? 

Organizations subject to the MCDPA must honor opt-out requests sent by a universal opt-out mechanism (UOOM) for targeted advertising or any sale of personal data. 

When Does the MCDPA Go Into Effect? 

The MCDPA is set to take effect on July 31, 2025 

What Penalties Are Associated With Violating the MCDPA? 

Violators of the MCDPA must pay $7,500 per violation unless the violation is cured within 30 days of notice. The right to cure, however, expires on January 31, 2026. 

What Is Considered Sensitive Data Under the MCPDA? 

The MCDPA lists the following as sensitive data: racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, data collected from a known child, and specific geolocation data.