
Keypoint: The Minnesota bill contains several unique requirements and provisions, including a novel right to question the result of a profiling decision, privacy policy provisions that increase interoperability with existing state laws, and new privacy program requirements such as a requirement for controllers to maintain a data inventory.
On May 19, the Minnesota legislature passed the Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782). The bill, which is sponsored by Representative Steve Elkins, was passed as Article 5 of a larger omnibus bill. The bill next moves to Governor Tim Walz for consideration.
The Minnesota bill largely tracks the Washington Privacy Act model but with some significant and unique variations. For example, the bill creates a novel right to question the result of a profiling decision and have a controller provide additional information regarding that decision. It also contains privacy policy requirements that are intended to increase interoperability with other state consumer data privacy laws. Further, the bill contains provisions requiring controllers to maintain a data inventory and document and maintain a description of policies and procedures the controller has adopted to comply with the bill’s provisions. We discuss those requirements and provisions, along with others, in the below article.
As with prior bills, we have added the Minnesota bill to our chart providing a detailed comparison of laws enacted to date.
Applicability
The bill generally follows the traditional Washington Privacy Act applicability standard with one exception concerning the treatment of small businesses.
The bill applies to legal entities that conduct business in the state or produce products or services targeted to state residents and that either (1) during a calendar year, control or process the personal data of at least 100,000 consumers (excluding payment transaction data) or (2) derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25,000 consumers. The 100,000-consumer threshold is approximately 1.75% of the state’s 5.7 million population.
However, in a unique variation, the bill excludes small businesses as defined by the United States Small Business Administration. This is similar to the approach found in Texas and Nebraska except that those laws do not use the 100,000-consumer applicability threshold. Minnesota also follows Texas in Nebraska insofar as small businesses (regardless of the number of consumers whose data they process) cannot sell a consumer’s sensitive data without the consumer’s prior consent.
The bill does not exempt HIPAA covered entities or business associates but does contain several health-related data level exemptions.
The bill contains a GLBA data level exemption. Similar to Oregon’s law, the bill does not contain a GLBA entity-level exemption but does exempt “a state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described in” 12 U.S.C. § 1843(k).
The bill does not exempt non-profits with the exception that it exempts nonprofits that are established to detect and prevent fraudulent acts in connection with insurance.
Consumer Rights
Minnesota tracks Oregon’s law and provides that a “consumer has a right to obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead.”
Minnesota requires controllers to recognize universal opt-out mechanisms (UOOMs) to opt consumers out of sales and targeted advertising. It does not contain a delayed effective date for recognizing UOOMs.
Minnesota also is the first state to statutorily provide that controllers do not have to produce sensitive information such as Social Security numbers, driver’s license numbers, and biometric data in response to a request to access. California and Colorado have similar prohibitions through rulemaking.
Additional Profiling Rights
In another unique variation, Minnesota strengthens the right to opt out of profiling by providing that a profiled consumer “has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.” A consumer also has the “right to review the consumer’s personal data used in the profiling” and, if “the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.”
Although no other consumer data privacy law includes these provisions, Colorado’s Artificial Intelligence Act (SB 205) contains a somewhat analogous right to notice and appeal in C.R.S. § 6-1-1703(4)(b). The Minnesota language was relevant in framing the language in Colorado’s AI law. In addition, the Part 9 of the Colorado Rules contain extensive requirements on profiling disclosures and requirements that controllers subject to both will need to consider and synthesize.
Unique Privacy Policy Requirements
Minnesota largely tracks existing privacy policy disclosure requirements but contains some helpful language that is intended to increase interoperability.
First, as is typical with other privacy laws, Minnesota requires controllers that have to provide an opt-out to provide a clear and conspicuous method to effectuate the opt-out request. However, the bill goes on to state that the “method may include but is not limited to an internet hyperlink clearly labeled ‘Your Opt-Out Rights’ or ‘Your Privacy Rights’ that directly effectuates the opt-out request or takes consumers to a web page where the consumer can make the opt-out request.” This language tracks language found in the California Regulation § 7015(b) and Colorado Rule 4.03B.3, thereby affirming a current practice of using one link for multiple jurisdictions.
Minnesota also helpfully clarifies that a controller does not need “to provide a separate Minnesota-specific privacy notice or section of a privacy notice if the controller’s general privacy notice contains all the information required by” the bill.
Further, Minnesota tracks California Regulation § 7011(d) and Colorado Rule 6.02E by providing that the “privacy notice must be posted online through a conspicuous hyperlink using the word ‘privacy’ on the controller’s website home page or on a mobile application’s app store page or download page. A controller that maintains an application on a mobile or other device shall also include a hyperlink to the privacy notice in the application’s settings menu or in a similarly conspicuous and accessible location. A controller that does not operate a website shall make the privacy notice conspicuously available to consumers through a medium regularly used by the controller to interact with consumers, including but not limited to mail.”
Finally, Minnesota includes a provision directing controllers how to handle material changes in their privacy practices. The bill provides that “[w]henever a controller makes a material change to the controller’s privacy notice or practices, the controller must notify consumers affected by the material change with respect to any prospectively collected personal data and provide a reasonable opportunity for consumers to withdraw consent to any further materially different collection, processing, or transfer of previously collected personal data under the changed policy.” The bill goes on to provide that a “controller shall take all reasonable electronic measures to provide notification regarding material changes to affected consumers, taking into account available technology and the nature of the relationship.” This provision is inspired by Colorado Rule 6.04 and FTC guidance.
New Privacy Program Requirements
Minnesota creates several new and potentially significant privacy program requirements. First, Minnesota is the first state to require controllers to maintain data inventories. Specifically, the bill states that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.”
Minnesota also provides that a “controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under” an exception. This provision is similar to language found in GDPR, Article 5.
Finally, Minnesota creates a requirement that a controller “document and maintain a description of the policies and procedures that controller has adopted to comply” with the bill. The description is required to include the name and contact information for the controller’s chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the bill. It also must include a description of the controller’s policies and procedures regarding the controller’s responsibilities set forth in section 325O.07 (e.g., transparency, use of data, nondiscrimination) and any policies and procedures designed to:
“(i) reflect the requirements of this chapter in the design of the controller’s systems;
(ii) identify and provide personal data to a consumer as required by this chapter;
(iii) establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise the responsibilities under this item;
(iv) limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed;
(v) prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under section 325O.09; and
(vi) identify and remediate violations of this chapter.”
Unique Definition of Specific Geolocation Data
One of Representative Elkins’ areas of focus during the stakeholdering process was the bill’s definition of specific geolocation data. Representative Elkins was concerned that the traditional definition (i.e., identifying an individual’s location within a 1,750-foot radius) was arbitrary. Instead, the Minnesota bill defines specific geolocation as “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.”
Non-Discrimination
Minnesota contains a unique anti-discrimination provision that provides that a “controller shall not process personal data on the basis of a consumer’s or a class of consumers’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.”
Maryland’s new data privacy law contains a similar but different provision.
Enforcement
The bill is enforceable by the Attorney General’s office. There is no private right of action. The bill contains a thirty-day right to cure that expires January 31, 2026.
Rulemaking
The bill does not authorize Attorney General rulemaking.
Effective Date
The bill’s effective date is July 31, 2025, except that postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.