It’s the season of lists and next on ours: Minnesota! This state joined 18 others to enact comprehensive data privacy legislation in recent years. To avoid being on the “naughty” list, make sure to review your compliance program! On May 19, 2024, Minnesota Governor Tim Walz (D) signed into law the Minnesota Consumer Data Privacy Act (“MNCDPA”), which will take effect on July 31, 2025. While the MNCDPA’s framework is similar to many other state privacy laws already in effect, the law also includes notable provisions for small businesses and broader consumer rights around profiling.
The following article explains what businesses are covered by the law and highlights key provisions of the MNCDPA. To Whom Does the Minnesota Consumer Data Privacy Act Apply? The Minnesota Consumer Data Privacy Act applies to entities that: conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota; and during a single calendar year, satisfy one of the following criteria: control or process personal data of at least 100,000 consumers, not including personal data controlled or processed solely for the purpose of completing a payment transaction; or control or process personal data of at least 25,000 Minnesota consumers and derive over twenty-five percent (25%) of their annual gross revenue from the sale of personal data. Like most other states, the MNCDPA defines a “consumer” as an individual who is a resident of Minnesota and acting only.