Understanding Minnesota’s New Consumer Data Privacy Law
The landscape of data privacy is evolving rapidly, with new regulations being introduced to protect consumer data and enhance privacy practices. One of the most significant new regulations is the Minnesota Consumer Data Privacy Act (MNCDPA), which will take effect on July 31, 2025.
This comprehensive law aims to safeguard the personal data of Minnesota residents and imposes strict requirements on businesses that handle this data. In this blog post, we’ll explore what the MNCDPA entails, its key provisions, and why it’s crucial for businesses and consumers alike.
Key Provisions of the MNCDPA
Scope and Application
The MNCDPA applies to legal entities that conduct business in Minnesota or offer products or services targeted at Minnesota residents. To fall under the MNCDPA, businesses must meet one of the following thresholds:
- Control or process personal data of 100,000 consumers or more annually, excluding data processed solely for payment transactions.
- Derive over 25% of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more.
A notable exception is made for small businesses, as defined by the U.S. Small Business Administration, which are not required to comply with certain provisions, such as selling sensitive data without prior consumer consent.
Consumer Rights
The MNCDPA grants Minnesota residents several significant rights over their personal data. These rights empower consumers to:
- Confirm whether their data is being processed and access the categories of personal data involved.
Correct inaccurate personal data. - Delete personal data.
- Obtain their personal data in a portable and usable format.
- Opt out of targeted advertising, the sale of personal data, or profiling for automated decisions that produce significant effects.
Additionally, if personal data is used for profiling that affects consumers legally or significantly, they have the right to understand the reasons behind these decisions and challenge them.
Sensitive Data Protection
Under the MNCDPA, businesses must obtain consumer consent before processing sensitive data. This includes data about race, ethnicity, religious beliefs, health information, and more. The law also imposes strict requirements on processing children’s data, aligning with the Children’s Online Privacy Protection Act (COPPA).
Anti-Discrimination Measures
The MNCDPA prohibits businesses from discriminating against consumers who exercise their data rights. This means companies cannot deny services, charge different prices, or provide lower quality services to consumers who choose to exercise their privacy rights.
Controller Obligations
Businesses, referred to as “controllers” in the MNCDPA, must:
- Provide clear and accessible mechanisms for consumers to revoke consent.
- Cease processing data within 15 days of receiving a revocation request.
- Comply with consumer requests within 45 days, with the possibility of a single 45-day extension if necessary.
Importance of the MNCDPA
The MNCDPA is a pivotal law for several reasons:
- Enhanced Consumer Protection: The law empowers consumers with greater control over their personal data, ensuring that they can manage their privacy effectively.
- Business Accountability: By imposing strict requirements on data controllers, the MNCDPA ensures that businesses are more accountable for how they handle consumer data. This fosters a culture of transparency and responsibility.
- Mitigation of Data Breaches: With stringent consent requirements and the need for robust data protection measures, the MNCDPA helps mitigate the risk of data breaches, protecting both businesses and consumers from potential harm.
- Alignment with Other Regulations: The MNCDPA aligns with other privacy regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), creating a more unified approach to data privacy across different jurisdictions.
Prepare for MNCDPA Compliance with BigID
The Minnesota Consumer Data Privacy Act represents a significant step forward in protecting consumer data and enhancing privacy practices. For businesses operating in Minnesota or targeting Minnesota residents, it is crucial to start preparing for MNCDPA compliance well before the law takes effect.
As the industry leading platform for data privacy, security, compliance, and AI data management— BigID can help you get ahead of the curve by:
- Identify All Data: Discover and classify data to build an inventory, map data flows, and gain visibility on all personal and sensitive information subject to MNCDPA requirements.
- Automate Data Rights Management: Automatically manage privacy requests, preferences, and consent, including opting out of data selling, targeted advertising, and user profiling.
- Apply Policies: Remediate policy-based risk with controls and workflows to take action on MNCDPA requirements.
- Minimize Data: Apply data minimization practices by identifying, categorizing, and deleting unnecessary or excessive personal data to efficiently manage the data lifecycle.
- Implement Data Protection Controls: Automate data protection controls to enforce data access and other security measures, which are crucial to safeguarding data and complying with MNCDPA.
- Assess Risk: Automate privacy impact assessments, data inventory reports, and remediation workflows to identify and remediate risks to maintain compliance.
Schedule a 1:1 demo to see how BigID can accelerate your compliance with MNCDPA today.