Minnesota Consumer Data Privacy Act Overview
Uploaded by
Jos van der LindenMinnesota Consumer Data Privacy Act Overview
Uploaded by
Jos van der LindenCommon questions
Powered by AIThe MCDPA includes a unique provision that requires businesses, referred to as controllers, to obtain opt-in consent from consumers aged 13-16 before processing their data for targeted advertising or selling their personal data . This measure is designed to provide enhanced protections to teenagers by ensuring that their data cannot be used for certain purposes without explicit consent.
The MCDPA applies to businesses that process personal data of at least 100,000 Minnesota consumers or derive more than 25% of their gross revenue from selling personal data of at least 25,000 Minnesota consumers within a calendar year . This impacts business operations by requiring eligible businesses to comply with a range of obligations concerning data processing, consumer rights, and privacy governance, potentially necessitating adjustments to data management practices.
Businesses under the MCDPA are required to conduct and document data protection assessments for high-risk activities, such as targeted advertising, data sales, and processing sensitive data . These assessments are significant because they help identify potential privacy risks associated with data processing activities and create accountability measures to mitigate such risks, ensuring comprehensive data protection and compliance with the law.
The Minnesota Attorney General is the exclusive enforcer of the MCDPA, with the authority to impose civil penalties of up to $7,500 per violation . Initially, the law includes a cure period requiring the Attorney General to issue a warning letter and provide a 30-day period for a business to remedy any violations before enforcing actions, which expires on January 31, 2026 . After this date, the Attorney General will have discretion to proceed with enforcement without a cure period, potentially increasing the immediacy and severity of enforcement actions.
The MCDPA grants consumers the right to question the results of automated profiling. It ensures that consumers are informed of the reasons behind such profiling decisions and, where feasible, provides information on what actions could have been taken to achieve a different result . This provision aims to enhance transparency and allows consumers to challenge and understand automated processes involving their data.
The MCDPA mandates that businesses honor universal opt-out signals, which consumers can enable through browser or device settings to indicate their preference to opt out of targeted advertising and data sales . This provides consumers with greater control over their data privacy preferences, as it simplifies the process of opting out of unwanted data uses. For businesses, it necessitates infrastructure to recognize and act upon these signals, potentially increasing compliance complexities and operational costs.
The MCDPA requires businesses to appoint a Chief Privacy Officer or a similar designee responsible for overseeing data privacy practices. It also mandates the maintenance of a documented data inventory and internal privacy policies . These internal governance obligations ensure that businesses have dedicated oversight and structured procedures in place to protect consumer data, enhancing accountability and compliance with privacy regulations.
The MCDPA's approach requires explicit consent before processing sensitive data, which includes information on racial or ethnic origin, religious beliefs, health conditions, sexual orientation, citizenship, and biometric data . This explicit requirement aligns with GDPR's approach and is stricter than some other US state privacy regulations, which might not specify the same level of detailed consent for sensitive data, thereby enhancing the protection of this type of information.
The MCDPA requires businesses to limit the collection of personal data to what is "adequate, relevant, and reasonably necessary" for the purposes disclosed to the consumer. It prohibits the processing of data for undisclosed purposes without consumer consent . This is more prescriptive than many other state privacy laws, which may not explicitly require such purpose limitation or detailed data minimization practices.
The MCDPA grants consumers the right to know and access, which allows them to confirm whether a controller is processing their personal data and to access that data . Additionally, it provides the right to data portability, enabling consumers to obtain a copy of their personal data in a portable and readily usable format for transfer to another controller . These rights are designed to empower consumers with control over their personal information.
