On May 24, Governor Walz signed into law HF 4757, the Minnesota Consumer Data Privacy Act, making Minnesota the eighteenth state to enact a comprehensive consumer data privacy law following California, Virginia, Colorado, Utah, Connecticut, Iowa, Indiana, Tennessee, Montana, Texas, Oregon, Delaware, New Jersey, New Hampshire, Kentucky, Nebraska, and Maryland. The Act will go into effect July 31, 2025.
Applicability
The Act applies to legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds:
- During a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
- Derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
Exemptions
Exemptions include, but are not limited to:
- Personal data collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and implementing regulations if the collection, processing, sale, or disclosure is in compliance with that law;
- Protected health information under the Health Insurance Portability and Accountability Act of 1996;
- The collection, maintenance, disclosure, sale, communication, or use of any personal information to the extent that such activity is regulated by and authorized under the Fair Credit Reporting Act;
- Data collected or maintained in the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role.
Consumer Rights
Consumers have the right to:
- Confirm whether a controller is processing their personal data;
- Correct inaccurate personal data concerning the consumer, taking into account the nature of the personal data and the purposes of the processing of the personal data.;
- Delete personal data concerning the consumer;
- Obtain a portable copy of their personal data to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means;
- Opt-out of the processing of the personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal effects or similarly significant effects concerning the consumer.
- Question the results of profiling if the personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects;
- Obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data or, If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data.
Data Protection Assessments
A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of sensitive data;
- Any processing activities involving personal data that present a heightened risk of harm to consumers; and
- The processing of personal data for purposes of certain profiling.
Contract Requirements
A contract between a controller and a processor must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. It must also require that the processor:
- Ensure that each person processing personal data is subject to a duty of confidentiality;
- Engage a subcontractor only (a) after providing the controller with an opportunity to object, and (b) pursuant to a written contract that requires the subcontractor to meet the obligations of the processor with respect to the personal data;
- Establish, implement, and maintain reasonably data security practices;
- Upon request, delete or return all personal data to the controller as requested at the end of the provision of services;
- Upon request, make available to the controller all information necessary to demonstrate compliance with the Act;
- Allow for, and contribute to, reasonable assessments and inspections by the controller or the controller’s designated assessor.
Sensitive Data
A controller may not process sensitive data concerning a consumer without obtaining the consumer’s consent.
“Sensitive data” is:
- Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sexual orientation, or citizenship or immigration status;
- The processing of biometric data or genetic information for the purpose of uniquely identifying an individual;
- The personal data of a known child; or
- Specific geolocation data.
Enforcement
The Attorney General has exclusive authority to enforce the Act and may seek a civil penalty of not more than $7,500 per violation. The Act provides a 30-day cure provision that expires January 31, 2026.
For a chart comparing the state comprehensive data privacy laws, visit RMAI’s Privacy and Data Security Resource Center (login required).
RMAI strongly recommends that its members share this Member Alert with those in their organization who are responsible for their operations, compliance, and legal matters.
RMAI previously issued Member Alerts for other states’ comprehensive privacy laws enacted in 2023 and 2024.
This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.