The U.S. still lacks a comprehensive federal data privacy law, and many states have stepped in to fill the gap. Amanda Novak of law firm Constangy, Brooks, Smith & Prophete takes a closer look at Minnesota’s new law, which will go into effect next summer.
In the absence of federal consumer data privacy legislation, states across the U.S. have been passing their own comprehensive statutes to impose data protection obligations on organizations and to bestow privacy rights on consumers in those states. This started with the California Consumer Privacy Act in 2018, and the passage of these laws has only picked up speed since then in states ranging from Connecticut to Colorado and Utah to Virginia. Many of these comprehensive state privacy acts reflect and incorporate the requirements created by the EU’s GDPR, but each contains its own nuances on topics like applicability thresholds, nonprofit exemptions, employee data and automated profiling requirements, among others.
Earlier this year, Minnesota became the 19th state to enact a data privacy law when Gov. Tim Walz signed the Minnesota Consumer Data Privacy Act into law. The law will provide privacy rights to Minnesotans and impose requirements on businesses and organizations handling personal data that fall under its jurisdiction. For most covered entities, the measure will go into effect July 31, 2025. Postsecondary institutions regulated by the Minnesota Office of Higher Education have until July 31, 2029, to comply.
Applicability
Minnesota’s law applies to entities that conduct business in Minnesota or offer products or services that target Minnesota residents and that meet one or more of the following thresholds:
- Control or process the personal data of 100,000 Minnesota consumers or more (excluding personal data controlled or processed solely for the purpose of completing a payment transaction).
- Derive more than 25% of gross revenue from the sale of personal data and process or control the personal data of at least 25,000 Minnesota consumers.
Minnesota places a strong value on public education, and Minnesota policymakers drafted the law to also apply to “technology providers” that contract with public education agencies and institutions under Minnesota’s educational data laws.
Similar to other consumer privacy statutes, Minnesota’s law provides limited entity-level exemptions. For example, the law does not apply to government entities, tribes or insurance companies defined by Minnesota statutes. The law also contains several data-type exemptions — for example, carving out protected health information governed by HIPAA and personal data subject to the Gramm-Leach-Bliley Act (GLBA). Notably, nonprofit organizations are not exempt (except for those established to detect and prevent fraudulent acts in connection with insurance). Additionally, small businesses as defined by the U.S. Small Business Administration are exempt. However, a small business must still obtain consent before selling a consumer’s sensitive data.
Consumer rights
Minnesota’s new law contains the following consumer data privacy rights:
- The right to confirm whether a controller is processing the consumer’s personal data and to access the categories of personal data.
- The right to correct inaccurate personal data.
- The right to delete personal data (subject to exceptions).
- The right to data portability.
- The right to obtain a list of the specific third parties to which the controller disclosed the consumer’s personal data.
- The right to opt out of targeted advertising, the sale of personal data and the use of personal data for profiling by automated means that produce legal or significant effects. Controllers must also adhere to opt-out requests submitted by universal opt-out mechanisms (UOOMs).
Covered entities must be prepared to respond to consumers’ requests to exercise these rights. In most circumstances, an organization acting as a controller will have 45 days to respond to a request and must establish a process for consumers to appeal the denial of any request to exercise their rights.
Organizations using artificial intelligence or automated processes that produce legal effects concerning a consumer or similarly significant effects concerning a consumer. must be prepared to comply with Minnesota’s requirements.
The law delves deeper into the issue of automated profiling than do most state privacy laws. For example, the measure provides consumers the right to (1) question the result of profiling; (2) be informed of the reasoning behind the profiling-produced decision; and (3) if feasible, to be informed of actions the consumers could have taken that would have secured a different result or that could secure a different result in the future.
Consumers can also obtain a reevaluation of a decision made via profiling by requesting a review of the personal data used in the profiling decision and subsequently requesting correction of any inaccurate data. An organization subject to these requirements must develop internal processes and procedures to respond to these rights. Organizations should create or review their current governance programs related to artificial intelligence and automated processing to enhance their ability to comply with the law’s unique requirements regarding profiling and automated processing.
If the AI Industry Doesn’t Establish Methods to Protect Private Data, Someone Else Will
Risk is high that personal information will be sucked up by AI engines
Read moreDetailsObligations for controllers and processors
The Minnesota law also includes a number of significant compliance obligations for covered entities with regard to consumer data:
- Data limitation: Requires controllers to limit the collection of personal data to what is adequate, relevant and reasonably necessary to effectuate the purposes for which it was collected and processed.
- Sensitive data: Controllers may not process “sensitive data” without consumers’ consent. Sensitive data includes data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, or genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child and specific geolocation data.
- Transparency and notice: Controllers must provide consumers with a privacy notice that is reasonably accessible, clear, and meaningful. Consumers must be notified of any material changes to the privacy notice and given a reasonable opportunity to withdraw consent to any data practice that is materially different from the practice to which the consumer consented. Controllers must also provide a method outside of the privacy notice for consumers to opt out of personal data sales, targeted advertising, or profiling.
- Safeguarding data: Controllers must establish and maintain reasonable administrative, technical and physical safeguards to protect the confidentiality, integrity, and accessibility of the data. Notably, the law requires controllers to maintain personal data inventories to appropriately implement safeguards, as well as descriptions of the policies and procedures they have adopted to comply.
- Data protection impact assessments: For certain data processing activities, controllers must conduct data protection impact assessments to mitigate the risk of consumer harm. Specifically, assessments are required in advance of targeted advertising, sales of personal data, certain types of profiling, processing of sensitive data and any processing activities that present a “heightened risk of harm.”
- Data processors: Controllers must ensure that their agreements with processors contain required provisions regarding personal data processing, including protecting the confidentiality of the data, data retention, subcontractor flow-down obligations, and more.
Minnesota’s law does not have a private right of action and will be enforced exclusively by the state attorney general’s office, with civil penalties of up to $7,500 per violation. There will be a temporary cure period that will expire Jan. 31, 2026.
A future of 50 state consumer privacy statutes and no federal legislation could well be in the cards. The underlying principles of transparency, security, consumer privacy rights and data minimization are common threads throughout the various privacy acts. However, it is imperative that organizations understand the nuances between the statutes and continue to track new and emerging laws in individual states to comply with the U.S.’s ever-changing patchwork privacy regime.