Concord Privacy News: 6/19/24
Minnesota Becomes Latest State to Enact a Comprehensive Data Privacy Law
On May 24, 2024, Minnesota Governor Tim Walz signed into law the Minnesota Consumer Data Privacy Act, which will take effect on July 31, 2025. The law gives Minnesota residents several data protection rights and requires covered businesses to comply with new data privacy and information security requirements.
While the law is similar to other state data privacy regulations — particularly those in Washington, New Hampshire, and Maryland — the Minnesota Act has some unique provisions, including an exemption for small businesses and granting consumers the right to challenge profiling decisions. And unlike the act recently passed in Vermont, Minnesota’s law does not create a private right of action, instead giving authority to the state attorney general for enforcement. Here are some of the key elements of the Minnesota law.
Applicability:
The law applies to entities that within a calendar year:
- Control or process personal data of at least 100,000 Minnesota residents; or
- Derive over 25% of their gross revenue from selling personal data and process or control personal data of at least 25,000 Minnesota residents within a calendar year.
Similar to privacy laws in other states, the Minnesota law exempts a number of certain entities, including government agencies, Tribes, and insurance companies. Uniquely, it is one of only a handful of states that exempts small businesses.
Consumer Rights:
The law provides Minnesota residents with the following rights:
- The right to access personal data;
- The right to correct personal data;
- The right to delete personal data;
- The right to data portability; and
- The right to opt out of targeted advertising, sale of personal data, and profiling.
That last point is a unique consumer right included in the Minnesota law. Consumers have a distinctive right to question the outcomes of a controller's profiling. This includes the right to understand why a particular decision was made based on the profiling and to learn what actions the consumer can take to obtain a different outcome in the future. Additionally, consumers can review the data used in the profiling process and correct any inaccuracies for reevaluation.
Obligations for Controllers of Personal Data:
The law imposes a number of requirements on controllers of personal data, including:
- To establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.
- To provide consumers a "reasonably accessible, clear, and meaningful" online privacy notice, posted on the controller’s homepage using a hyperlink that contains the word “privacy.”
- To electronically notify consumers of any material changes to the privacy notice and provide them a reasonable opportunity to withdraw consent to any materially different processing activities.
- To perform a data protection impact assessment (DPIA) for certain data processing activities, including targeted advertising, processing sensitive data, and selling personal data.
- To maintain records of all appeals and responses to those appeals for at least 24 months.
- To retain policies adopted to comply with the law, including identifying the primary individual responsible for the controller's compliance.
Other Privacy News of Note
Trade Groups Urge Congress to Beef Up Federal Data Privacy Power
A coalition of more than 20 lobbying groups is pushing Congress to modify draft consumer privacy legislation to ensure the new federal law will preempt what they see as a patchwork of state regulations. The draft American Privacy Rights Act “falls short of creating a uniform national standard,” United for Privacy, a coalition led by TechNet, said in a letter Monday. Read more.