Skip to Main Content

Legal Alert

Home > Resources > Legal Alerts > How to Prepare for the Minnesota Consumer Data Privacy Act (MCDPA)

RELATED PRACTICE AREAS

How to Prepare for the Minnesota Consumer Data Privacy Act (MCDPA)

July 9, 2024

The Minnesota Consumer Data Privacy Act (MCDPA), enacted as part of the broader HF 4757 bill, was passed by the Minnesota legislature on May 19, 2024, and signed into law by Governor Tim Walz on May 24, 2024. The MCDPA is the first state privacy law to introduce data inventory requirements in Minnesota. It will take effect on July 31, 2025.

Does the MCDPA Apply to My Company?

The MCDPA generally applies to legal entities that operate in Minnesota or target their products or services to Minnesota consumers, if they meet at least one of the following thresholds:

  • Data Volume Threshold: During a calendar year, the business controls or processes personal data of 100,000 or more consumers; or
  • Revenue and Data Threshold: The business derives over 25% of its gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

What Is the Purpose of the MCDPA?

The MCDPA requires covered businesses (i) implement a comprehensive privacy program that protects the privacy of Minnesota consumers, and (ii) be able to demonstrate that they have such a policy.

What Are the Key Requirements of the MCDPA?

The MCDPA introduces several significant consumer data privacy rights and obligations for businesses. Below is a summary highlighting the key aspects of the MCDPA.

  • Right to Challenge Profiling Decisions: Consumers have the right to challenge profiling decisions that result in legal or similarly significant effects. This includes the right to:
    • Question the outcome of the profiling;
    • Be informed about the reasoning behind the decision based on profiling;
    • Understand what actions they could have taken to achieve a different outcome and how to avoid such decisions in the future;
    • Review their personal data used in the profiling process;
    • Request correction of inaccurate data used in profiling and a reevaluation of the decision based on the corrected data.
  • Right to Obtain List of Third-Party Data Recipients: Consumers may request a list of specific third parties with whom their personal data has been shared.
  • Documentation Requirements: Businesses are required to document their policies and procedures for complying with the MCDPA.
  • Data Security: The business must establish, implement, and maintain robust security measures to protect the confidentiality, integrity, and accessibility of personal data. This includes maintaining a detailed inventory of all personal data collected and processed.
  • Data Inventory: The business must maintain a data inventory as part of its reasonable security practices. The MCDPA does not provide specific guidance on the content or format of this inventory. Minnesota is the first state to introduce this requirement.
  • Data Minimization: The business must limit the collection of personal data to only what is necessary and relevant for the stated purpose of data processing.
  • Data Retention: The business must establish clear policies for data retention, ensuring that personal data is not kept for longer than necessary for the original purpose of collection.
  • Violation Response: The program must outline procedures for identifying and addressing any violations of the MCDPA.

What Should My Business Do Next?

Any business that meets the thresholds and is not covered by an exclusion should carefully review its privacy program policies and procedures to ensure they are compliant with the MCDPA before July 31, 2025. Businesses should be proactive as it can take time to develop and implement the required process and procedures.

Once a business has its privacy program in place and compliant with MCDPA, businesses should continue to keep an eye out on evolving best practices and regulatory changes, conduct periodic risk assessments, and document results to ensure they are available for regulatory review.

We Can Help

Maslon can help guide your company through its assessment, implementation, and deployment of policies and procedures necessary for MCDPA compliance. We can also help you determine whether the MCDPA applies to you and help you remain compliant with other emerging privacy regulation.

Related Attorneys

Kaitlin (Katie) Eisler + Learn More Kaitlin (Katie) Eisler
Eran Kahana + Learn More Eran Kahana

Maslon LLP uses cookies on this website to enhance your digital experience.
Please see our Privacy Policy. By visiting our website without disabling or blocking cookies, you agree to our use of cookies.

DISCLAIMER

Thank you for your interest in contacting us by email.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send us an email containing a general inquiry subject to these terms.

If you accept the terms of this notice and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline

MEDIA INQUIRIES

We welcome the opportunity to assist you with your media inquiry. To ensure we do so properly and promptly, please feel free to contact our representative below directly by phone or via the email option provided. We look forward to hearing from you.

Emily Gurnon, Marketing Communications Manager | Office: 612.672.8251 | Mobile: 651.785.3616

EMAIL DISCLAIMER

This email is intended for use by members of the media only.

Please do not submit any confidential information to Maslon via email on this website. By communicating with us we are not establishing an attorney-client relationship, and information you submit will not be protected by the attorney-client privilege and cannot be treated as confidential. A client relationship will not be formed until we have entered into a formal agreement. You should also be aware that we may currently represent parties whose interests may be adverse to yours, and we reserve the right to continue to represent them notwithstanding any communication we receive from you.

If you would like to discuss possible representation, please call one of our attorneys directly or use our general line (p 612.672.8200). We can then fully discuss our intake procedures and, if appropriate, introduce you to an attorney suited to assist with your matter. Alternatively, you may send an email containing a general inquiry subject to these terms.

If you are a member of the media, accept the terms of this notice, and would like to send an email, click on the "Accept" button below. Otherwise, please click "Decline."

Accept Decline