The Minnesota legislature granted final passage to the state’s comprehensive privacy legislation. The legislation, named the Minnesota Consumer Data Privacy Act, is expected to be approved by the governor and to take effect on 31 July 2025, less than a month after Vermont‘s and Tennessee‘s new privacy laws. The act provides similar protections to other state privacy laws enacted in the US, with several distinctions regarding profiling.

Minnesota’s new act joins 18 additional US states that have enacted comprehensive data protection laws in recent years, with the latest ones being those of Vermont, Nebraska, Maryland and Kentucky.

Scope of Application

The new act applies to data controllers and processors that conduct business in the state of Minnesota or produce products or services targeted to state residents and that, during a calendar year, either:

• Control or process the personal data of at least 100,000 consumers (excluding payment transaction data); or
• Derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25,000 consumers.

Similarly to other US state laws, the act exempts from the definition of “personal information” any deidentified data or publicly available information, which is defined as “information that (1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public.”

The act also exempts several types of organizations, such as governmental bodies and entities covered by Federal privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Family Educational Rights and Privacy Act.

Despite taking effect in July 2025, the act provides an extended compliance period for nonprofit corporations and education institutions. These organizations have until July 2029 to comply with the act.

Controllers Obligations

Controllers covered by the act are obliged to, inter alia,:

• Document their activities, policies and procedures to comply with the act;
• Establish, implement, and maintain reasonable administrative, technical, and physical data security practices;
• Limit the collection and retention of personal data in accordance with the purpose of processing; and
• Provide clear and accessible privacy notice to consumers.

To the extent the controller sells personal data to third parties or processes personal data for targeted advertising or profiling, it must disclose such processing in the privacy notice and provide a clear and conspicuous method outside the privacy notice for a consumer to opt out of such processing.

Controllers should create a designated page labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly processes the opt-out request.

Controllers are also obligated to conduct a data protection impact assessment in case processing of personal data is made in conjunction of:

• Targeted advertising;
• Selling of personal data;
• Processing of sensitive personal data or data that presents a heightened risk of harm to consumers;
• Unfair or deceptive treatment of consumers;
• Financial, physical, or reputational injury to consumer;
• A physical or other intrusion upon the private affairs of a consumer;
• Other substantial injury to consumers; or
• Profiling.

Consumers Rights

The new act provides residents of Minnesota with several rights they may exercise by submitting a request to the controller, such as the right of access; right of rectification; right of deletion and right of data portability.

In addition to the abovementioned rights, the act introduces a new right that is unique to Minnesota residents – if a consumer’s personal data is profiled to produce legal effects, the consumer has the right to question the result of such profiling, and to be informed of the reason that the profiling resulted in the decision. Further, the consumer has the right to review what personal data was used in the profiling, and to request to correct both the data used for the profiling and the decision made based on the data.

Controllers have 45 days’ time limit for complying with a request to exercise any consumer rights, and another 45-day extension period where the request is complex. The controller must inform consumers of the extension and the reasoning for the delay.

In addition, controllers must establish an internal appeal process, that will allow consumers to appeal a refusal of the controller to exercise their right. The consumers’ right to appeal is not limited in time, however it is available to them within a reasonable time period upon receiving notice of refusal or rejection from the controller.

Within 45 days of receiving the appeal, the controller must inform of any action taken in response, accompanied by a written explanation of the reasoning supporting the decision. To the extent the appeal was rejected by the controller, the controller must furnish the consumer with an online mechanism that will allow the consumer to file a complaint to the Minnesota Attorney General.

Enforcement

In the event either controllers or processors violate the act, the Minnesota Attorney General must provide them with a warning letter identifying the violations pursuant to the act. If the controller or processor had failed to remediate the violations, the Attorney General may lay a civil fine of $7,500 per violation.

Companies providing services to consumers in the United States should evaluate their exposure to this additional data protection regulatory regimes in Minnesota. Feel free to contact us if you have any questions regarding the new act ‎and its practical implications.