Minnesota Legislature Sends Privacy Bill to Governor

Sarah Dannecker, Gregory Szewczyk
Ballard Spahr LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Ballard Spahr LLP

[co-author: Sarah Elena De Los Santos Samaniego]

Minnesota becomes the latest state to move to pass legislation regulating the processing and controlling of personal data (HF 4757 / SF 4782). If signed into law by Governor Tim Walz, the Minnesota Consumer Data Privacy Act, or MCDPA, would go into effect on July 31, 2025 and provide various consumer data privacy rights and impose obligations on entities that control or process Minnesota residents’ personal data.

The MCDPA applies to entities controlling or processing personal data of 100,000 consumers or more or that derive over 25% of their revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. Following in the footsteps of Texas and Nebraska, the MCDPA exempts small businesses as defined by the United States Small Business Administration. The law also contains targeted data-level exemptions for health and financial data processing, but not entity-level exemptions.

In addition to the right to access, rectification, erasure, portability, and opt-out of targeted advertising, sale of personal data, and profiling, under the MCDPA, consumers also would also have the novel right to question the result of a profiling decision and request additional information from a controller regarding that decision.

The MCDPA outlines several responsibilities to which controllers of data must comply, some of which are new obligations beyond what are contained in other laws. For example, the MCDPA requires that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.” The maintenance of this type of inventory is a first under U.S. state privacy law.

There are also data obligations relating to transparency in privacy notice and disclosure; limitation of the use of data in relation to processing and physical data security practices; nondiscrimination in the processing of personal data; and an obligation to appoint a chief privacy officer or privacy lead for the organization.

Enforcement would fall under the purview of the Minnesota Attorney General and businesses would have a thirty-day right to cure period, which expires January 31, 2026.

Assuming it is signed into law as expected, Minnesota will join the ranks of the seventeen other states (eighteen counting Florida) that have passed comprehensive consumer privacy acts. As with each of the other states’ acts, Minnesota’s bill shares some similarities with these other acts while also containing some unique provisions. Businesses in Minnesota would do well to start reviewing procedures and processes in preparation for the MCDPA.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ballard Spahr LLP | Attorney Advertising

Written by:

Ballard Spahr LLP
Ballard Spahr LLP
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Ballard Spahr LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide