Four unusual provisions in the new Minnesota Consumer Data Privacy Act

Minnesota enacted the Minnesota Consumer Data Privacy Act (MCDPA) after the law was signed by the state’s governor on 24 May 2024. The law will take effect on 31 July 2025. 

While the MCDPA looks very similar to other “Virginia-style” comprehensive privacy laws, Minnesota has included some provisions that are either unique to Minnesota or rare across the US. Here’s a look at four such provisions, concerning the law’s application, transparency obligations, and consumer rights. 

1. Special application to small businesses

Like Texas and Nebraska, Minnesota’s law covers small businesses – but they only have one rule under the MCDPA: Do not sell sensitive data without consent. 

Sensitive data means: 

• Personal data revealing:  
  • Racial or ethnic origin 
  • Religious beliefs 
  • Mental or physical health condition or diagnosis 
  • Sexual orientation 
  • Citizenship or immigration status
• The processing of biometric data or genetic information for the purpose of uniquely identifying an individual 
• The personal data of a known child 
• “Specific” (precise) geolocation data 

The MCDPA takes its “small business” definition from the US Small Business Administration (SBA), which currently means a business with under 500 employees. 

Besides this relatively unusual provision, the MCDPA applies like most other comprehensive privacy laws: To any (non-exempt) business that conducts business in Minnesota or produces products or services targeted to residents of Minnesota and: 

• Annually controls or processes personal data about at least 100,000 Minnesota consumers, excepted personal data used solely for the purpose of completing a payment transaction, or 
• Derives over 25% of gross revenue from the sale of personal data and processes or controls personal data of at least 25,000 Minnesota consumers 

As such, the MCDPA’s application is narrower than its counterpart laws in Texas and Nebraska, as not all larger businesses will meet the above thresholds. 

2. A limited right of access

The MCDPA includes the usual range of consumer privacy rights common across most states that have enacted such a law. But Minnesota’s law includes some quirks in this regard. 

As usual, consumers have the right to confirm whether a controller is processing their personal data.  

But whereas most states empower consumers to access the personal data itself, Minnesota’s law only requires businesses to declare the “categories” of personal data they process about the consumer.  

Note, however, that consumers are entitled to the data they provided to the controller under the MCDPA’s “data portability” provision. 

3. Strict transparency obligations

Unlike any other state except Oregon, Minnesota provides consumers with “a right to obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data.”  

Providing such a list might be challenging for businesses that do not maintain comprehensive records about how they share each consumer’s personal data. 

However, if the controller doesn’t know the third parties to which it disclosed a given consumer’s personal data, the MCDPA allows the controller to provide a list of the specific third parties to which it has disclosed “any consumer’s personal data” instead. 

4. A new right to challenge decisions based on profiling

The MCDPA includes a unique provision that applies where “a consumer’s personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer.” 

When a controller has made such a decision, the consumer has the following rights: 

• To question the result of the profiling 
• To be informed of the reason that the profiling resulted in the decision 
• If feasible, to be informed of:  
  • What actions the consumer might have taken to secure a different decision 
  • The actions that the consumer might take to secure a different decision in the future 
• To review the personal data used in the profiling 
• To have any inaccurate data used for the profiling corrected and the profiling decision reevaluated based on the corrected data 

These rights are similar to those being developed under the California Privacy Protection Agency’s (CPPA) draft automated decision making technology (ADMT) regulations. 

In Minnesota, “decisions that produce legal or similarly significant effects” are decisions that impact a consumer’s access to the following: 

• Financial or lending services 
• Housing 
• Insurance 
• Education enrollment or opportunity 
• Criminal justice 
• Employment opportunities 
• Health care services
• Essential goods​ or services 

Profiling means automated processing of personal data to “evaluate, analyze, or predict personal aspects of a consumer’s “economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.” 

In practice, this new consumer right will have serious implications for many businesses making AI-driven decisions about Minnesota residents.