Minnesota is now the latest state to take strides towards enacting an omnibus consumer data privacy law. On February 22, 2021, the “Minnesota Consumer Data Privacy Act” was introduced as HF 1492 by Rep. Steve Elkins (DFL) and Rep. Mohamud Noor (DFL) in the Minnesota House of Representatives.
The proposed Minnesota Consumer Data Privacy Act (“MCDPA”) is largely based on the 2021 version of the proposed Washington Privacy Act (SB 5062), and bears many similarities to the Virginia Consumer Data Protection Act (“CDPA”). Virginia’s CDPA was recently passed by the Virginia legislature and is headed for Gov. Ralph Northam’s desk this week, where it is expected to be signed into law. The MCDPA shifts Minnesota’s privacy debate away from the California Consumer Privacy Act (“CCPA”) model, and towards the approach making headway through the Washington legislature in 2021. While a different CCPA-styled privacy bill was introduced in Minnesota in January 2021 (HF 36) by Rep. Noor, he is now a co-sponsor of the proposed MCDPA. The MCDPA is now the primary candidate to become Minnesota’s omnibus consumer privacy law.
As introduced, the MCDPA would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, so long as these companies: (1) process personal data of at least 100,000 consumers; or (2) generate more than 25% of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 Minnesota consumers. The MCDPA would also govern a wide range of activities related to the processing of consumer personal information, including creating a variety of consumer data rights. For example, the bill gives consumers a variety of consumer privacy rights, including the right to verify, correct, delete, access, and opt-out of processing of their personal data. It also sets forth the time frames and other conditions for companies to respond to these consumer requests, and further provides requirements for data protection assessments and consumer privacy notices.
Enforcement of the MCDPA is by civil action brought by the attorney general, with injunctive relief available, as well as civil penalties of up to $7,500 for each violation. Like the proposed Washington Privacy Act, the proposed MCDPA does not currently include a private right of action. However, that may change during the course of the legislative session, as this is likely to be a hotly contested aspect of the bill, and amendments for a private right of action are already in the works. Moreover, while the proposed MCDPA does not specifically address facial recognition, a separate bill on that topic is expected to be introduced later this session by co-sponsor Rep. Mohamud Noor.
The proposed MCDPA would add many layers of consumer privacy obligations to companies doing business in Minnesota, and is being closely watched by industry observers. Businesses across the country handling consumer personal data should continue to closely track developments with this bill during the next several weeks as it works its way through the legislative process.