With privacy concerns growing, states across the U.S. are enacting laws to regulate the use of personal data. Minnesota is among the latest to join this trend, introducing the Minnesota Consumer Data Privacy Act (H.F. 2309). Set to take effect on July 31, 2025, the law establishes new rules for businesses operating in Minnesota or serving Minnesota residents, giving individuals control over how their personal information is collected and used. Certain entities, such as nonprofits and postsecondary institutions, have until July 2029 to comply, but the law impacts many other businesses well before then.
What the Law Includes
The Minnesota Consumer Data Privacy Act grants Minnesota residents specific rights over their data, creating new standards for businesses to follow. This includes six primary rights:
Right to Access and Know – Consumers have the right to know what personal data businesses collect and process about them.
Right to Correct – Consumers can request corrections to inaccurate information.
Right to Delete – Consumers can request the deletion of their data.
Right to Data Portability – Consumers may request copies of their data to transfer elsewhere.
Right to Opt-Out – People can opt out of targeted advertising, data sales, and automated profiling.
Right to Appeal – If a data request is denied, consumers can appeal and file a complaint with the Minnesota attorney general if needed.
The law also requires businesses to implement and maintain privacy notices detailing their data practices, including what personal data they collect, how long they retain it, and how they use it. In some cases, businesses may also need to complete “data privacy and protection assessments,” which outline compliance efforts. These assessments can be reviewed by the Minnesota attorney general, who has the authority to investigate and enforce compliance. Penalties for violations are up to $7,500 per violation, with a required warning and opportunity to correct violations before enforcement.
The law defines several key terms relevant to these standards. For example:
“Controller” refers to any entity that determines how personal data is processed, while a “processor” handles data on behalf of a controller.
“Personal data” covers any information that can link to a specific person, and “sensitive personal data” includes certain data types with higher privacy concerns.
“Sale” refers to the exchange of personal data for money or other benefits, with some disclosures exempt from this definition.
What This Means for Your Business
If your business operates in Minnesota or offers products and services to Minnesota residents, this law likely applies to you. The Act has a broad scope, covering any business entity meeting certain thresholds related to the volume of data processed. Even small businesses that generally meet exclusions are subject to specific rules on sensitive data, prohibiting the sale of such data without consumer permission.
Businesses must review their data security measures to ensure consumers can exercise their rights. For example, if consumers submit requests to access, correct, or delete their data, companies have 45 days to respond, with possible extensions for complex requests. Controllers must also respect requests sent via universal opt-out mechanisms, allowing consumers to opt-out through broader platforms rather than just company-specific settings.
Data processing transparency is another key aspect. Controllers must be clear about handling data and susceptible personal data. Companies involved in automated data profiling—using algorithms to make predictions or evaluations—must provide ways for consumers to understand, review, and correct how their data is used in such processes.
Businesses that discriminate against consumers for exercising these rights or that process personal data based on protected classifications (like race or gender) in ways that negatively impact access to goods or services may also be subject to additional penalties. This includes prohibitions on data use in loyalty programs and targeted advertising for minors aged 13-16 without explicit consent.
Compassionate Legal Support, Regardless of What Changes
If your business handles personal data in Minnesota, it’s essential to understand the Minnesota Consumer Data Privacy Act and assess your current data practices. Temple Law, PLLC, can help you prepare for compliance with the new standards and protect your business from potential risks. Schedule a consultation with us so that we can learn more about your business.
Hozzászólások