Data Privacy Gets Personal | New legislation may affect your business when it comes to personal consumer data. Are you ready?*
Minnesota is the 19th state to enact a data privacy law protecting the personal data of consumers and giving consumers rights over their data. The Minnesota Consumer Data Privacy Act (MNCDPA) goes into effect July 31, 2025. It requires certain entities conducting business in Minnesota, with access to the personal data of consumers, to comply with requirements in the handling of that data.
What is personal data?
Personal data is defined as "any information linked or reasonably linkable to an identified or identifiable natural person" (Minn. Stat. 3250.02(p)). This includes names, email addresses, phone numbers, etc. Personal data is heightened to "sensitive data" if it includes:
- Personal data that reveals racial or ethnic origin, religious beliefs, mental or physical health information, sexual orientation, or citizenship or immigration status;
- Genetic or biometric information;
- Personal data of a child (under 13);
- Specific geographic location.
Businesses subject to the MNCDPA need to think about it sooner rather than later, as it may require alterations to internal systems, websites, and employee training.
Who is impacted?
The MNCDPA applies to entities conducting business in Minnesota, or producing products or providing services targeted at Minnesota residents, that meet one of the following:
- In a calendar year, it controls or processes the personal data (defined above) of 100,000 or more Minnesota consumers (excluding personal data processed solely for payment); or
- Obtains over 25 percent of its gross revenue from the sale of personal data, and processes or control the personal data of 25,000 consumers or more.
The MNCDPA also applies to entities that process personal data for a controller (e.g., a software company providing customer relationship management services to a business is the processor of the personal data and the business collecting that information is the controller).
What comes next?
The MNCDPA requires transparency in how your business protects personal data. Businesses should provide a privacy notice informing consumers about the information collected, how it is collected and stored, and what rights the consumer has over their personal data. The MNCDPA affords consumers the following rights to their personal data collected by a business:
- Access to it
- Correction or deletion of it
- Data portability, meaning they can get a copy of it
- The ability to opt-out of:
- Personal data sales;
- Targeted advertising based on the personal data;
- Profiling for decisions producing legal or similarly significant effects.
Businesses must also minimize the amount of personal data they collect to what is reasonably necessary, obtain consent before processing any sensitive data, and not retain personal data longer than necessary.
These are only highlights of the MNCDPA – there are several more requirements. To confirm if the MNCDPA applies to your business and ensure compliance, you should contact a data privacy attorney now to be ready when the MNCDPA takes effect.
*This article originally appeared in the November/December 2024 edition of the St. Cloud Area Chamber of Commerce Business Central Magazine. Repurposed and republished with permission of the publisher.