Lathrop GPM LLP
What law(s) specifically govern personal data / information?
The MCPA covers legal entities that conduct business in Minnesota or produce products or services targeted to state residents and that satisfy one or more of the following:
Who Is Covered?
The MCPA covers legal entities that conduct business in Minnesota or produce products or services targeted to state residents and that satisfy one or more of the following:
- during a calendar year, control or process the personal data of at least 100,000 consumers (excluding payment transactions) and/or
- derive over 25% of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 consumers.
MCPA Definitions
Personal data is defined as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” Personal data does not include deidentified data or publicly available information. “Publicly available information" means information that (1) is lawfully made available from federal, state, or local government records or widely distributed media, or (2) a controller has a reasonable basis to believe has lawfully been made available to the general public.
The MCPA uses the term "controller" which is like the definition that appears in the General Data Protection Regulation (GDPR) and other data privacy laws. Controller means the “natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.”
The MCPA defines "consumer" as a natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context. This means that the MCPA does not apply to personal data relating to job applicants, employees, and individuals acting in their capacity as business representatives.
For the purposes of the MCPA a “sale” includes an exchange of personal data for monetary consideration or “any other valuable consideration.”
The MCPA specifically applies to “technology providers” that contract with public education agencies and institutions pursuant to Minnesota Statute § 13.32.
MCPA Exemptions
The MCPA includes exemptions for certain types of businesses and data. Governmental entities, federally recognized Indian tribes, “small business” as defined by the U.S. Small Business Administration regulations, air carriers under the Airline Deregulation Act, and certain kinds of banks, credit unions and insurance companies are exempt.
Unlike the California Consumer Privacy Act (“CCPA”) and other state data privacy laws, there is no broad exemption for non-profits. Non-profits are exempt if they are “established to detect and prevent fraudulent acts in connection with insurance.” The MCPA does not include an entity-level exemption for companies that are covered entities or business associates under HIPAA.
The data-level exemptions are consistent with most other state privacy laws. Specifically, the Minnesota Act exempts data regulated by HIPAA, the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, the Minnesota Insurance Fair Information Reporting Act, and various other regulations.
Enhanced Privacy Rights for Consumers
The MCPA contains obligations for controllers that largely follow provisions in other comprehensive state privacy laws.
Provisions similar to other state laws include recognition of universal opt-out mechanisms, required data protection assessments, exclusive attorney general enforcement, and a 30-day right to cure that sunsets in 2026.
The MCPA provides consumers with the right to:
- Confirm whether a controller is processing personal data about the consumer and to access the categories of personal data processed by the controller;
- Correct inaccurate personal data concerning the consumer, taking into account the nature of the data and purposes of processing;
- Delete the consumer’s personal data (subject to exceptions);
- Obtain a copy of personal data that the consumer previously provided to the controller, where the data processing is conducted by automated means; and
- Obtain a list of the specific third parties to whom the controller disclosed the consumer’s personal data or, if not available, a list of the specific third parties to whom the controller has disclosed any consumers’ personal data.
How is MCPA Different?
Profiling
The law includes new consumer rights and business obligations around profiling practices. Consumers can request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision and access to the data used to reach the decision.
A profiled consumer “has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.” A consumer also has the “right to review the consumer’s personal data used in the profiling” and, if “the decision is determined to have been based upon inaccurate personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data, the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.”
Data Inventory
The controller may need to maintain a data inventory and document its policies and procedures used for data security and to comply with the law.
Minnesota is the first state to require businesses to maintain such data inventories.
The law states that a “controller shall establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices shall be appropriate to the volume and nature of the personal data at issue.”
Data Retention
The new law provides that a “controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under a statutory exception such as performing a contract to which a consumer is a party, fulfilling the terms of a written warranty, and others specifically listed in the MCPA..
Must Document Compliance
A business must “document and maintain a description of the policies and procedures that controller has adopted to comply” with the law. The description must include the name and contact information for the controller’s chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the law.
Enforcement
The MCPA is enforceable by the Attorney General’s office. There is no private right of action. Violations of the MCPA are subject to injunctive relief and civil penalties up to USD $7,500 per violation. The Minnesota Attorney General is required to provide a controller or processor with notice of the specific provisions of the MCPA that it alleges have been violated and 30 days to cure the violations prior to bringing an enforcement action. This cure provision expires on January 31, 2026.
Effective Date
The law’s effective date is July 31, 2025. Postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.
There is no explicit data privacy provision in the Minnesota State Constitution.
Tort Law. The tort of invasion of privacy has been identified and described in the Restatement (Second) of Torts § 652 (1977) (“Restatement”) and includes: 1) intrusion upon seclusion; 2) public disclosure of private facts; 3) appropriation of name or likeness; and 4) publicly placing a person in false light. Other torts and causes of action related to privacy may include defamation, assault and battery, trespass, breach of confidentiality, intentional infliction of emotional distress, negligence, and right of publicity.
Common Law Invasion of Privacy. In Lake v. Wal-Mart Stores, Inc. 582 N.W.2d 231 (Minn.Sup. Ct. 1998), the Minnesota Supreme Court recognised a right to privacy in Minnesota, and adopted the Restatement definitions for three of the Restatement torts - intrusion upon seclusion, appropriation, and publication of private facts. Minnesota has recognised invasion of an individual’s privacy as a tort action. [See Bodah v. Lakeville Motor Express, Inc., 663 N.W.2d 550 (Minn. 2003).] The most common privacy claims raised by employees against employers are intrusion upon seclusion and publication of private facts. To prove either type of privacy claim, however, the plaintiff must first demonstrate a reasonable expectation of privacy.
Minn. Stat. § 325M.01 Internet Service Providers
Minn. Stat. § 609.527 Identity Theft/Phishing
Minn. Stat. § 325E.61 Data Breach Notification
Minn. Stat. § 13.055 Data Breach Notification (Government Agencies)
Minn. Stat. § 13.0 Minnesota Government Data Practices Act
Minn. Stat. § 13.15 Government Websites
Minn. Stat. § 325E.64 Plastic Card Security Act
Minn. Stat. § 325E.59 Social Security Numbers
Minn. Stat. § 626A.02 Interception and Disclosure of Wire, Electronic, Or Oral Communications Prohibited
More background on Minnesota data privacy and security laws can be found in the Legal Guide to Privacy and Data Security prepared in collaboration with the Minnesota Department of Employment and Economic Development.
What are the key data protection principles in this jurisdiction?:
No general principles. See MCPA.
What is the supervisory authority / regulator in charge of data protection?
No central data privacy supervisory authority or regulator except for Minnesota Attorney General.
Is there a requirement to register with a supervisory authority / regulator?
No notification required.
Is there a requirement to notify the supervisory authority / regulator?
No notification required.
Is it possible to register with / notify the supervisory authority / regulator online?
Not applicable.
What are the key data subject rights under the data protection laws of this jurisdiction?
See MCPA.
Is there a requirement to appoint a data protection officer (or equivalent)?
No statutory requirement for a data protection officer.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
The MCPA requires a controller to conduct “data privacy and protection assessments” for certain processing activities, including processing personal data in connection with targeted advertising, sales of personal data, processing sensitive data, profiling that presents a heightened risk of harm to consumers and profiling that presents certain types of foreseeable risks (e.g., unfair and deceptive treatment, financial or reputational injury, intrusion on seclusion, etc.). The controller needs to document and retain such assessments and make them available to the Minnesota Attorney General upon request.
Does this jurisdiction have any specific data breach notification requirements?
See Minn. Stat. §§ 325E.61 and 13.055 Data Breach Notification.
Minn. Stat. §§ 325E.61 and 13.055 Data Breach Notification
Any person or business that maintains data that includes personal information that the person or business does not own must notify the owner or licensee of the information of any breach of the security of the data immediately following discovery, if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.
Definition of Personal Information. For Minnesota residents, personal information includes first name or first initial and last name plus one or more of the following: social security number, driver’s license number or state issued ID card number, account number, credit card number or debit card number combined with any security code, access code, PIN, or password needed to access an account and generally applies to computerized data that includes personal information. It does not include encrypted data.
Definition of Breach. Breach of the “security system” means any unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of the personal information maintained by the person or business.
Content of Notice. There is no specific requirement as to content of the notification.
Timing. The notification requirement is triggered upon discovery or notification of a breach of the security of the system.
Notification must be in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or with any measures necessary to determine the scope of the breach, identify the individuals affected, and restore the reasonable integrity of the data. In the event of a breach affecting over 500 people (1,000 for state agencies), consumer reporting agencies (CRA) must be notified within 48 hours and must be informed of the timing, distribution, and content of the notices sent to Minnesota residents.
Penalty. The Minnesota Attorney General may enforce this law by seeking injunctive relief and/or a civil penalty not to exceed USD $25,000.
Exemptions. An exemption from this notification statute may apply to an entity that is otherwise covered by a federal law such as the GLBA or HIPAA. As noted above, encrypted information is exempt but the Minnesota statute does not define encryption.
Note that government agencies have different obligations regarding data breach notification that are set forth in Minn. Stat. § 13.055 Data Breach Notification (Government Agencies).
What restrictions apply to the international transfer of personal data / information?
No restrictions.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
No.
What rules specifically deal with marketing?
There are no rules that are specific to marketing.
Do different rules apply to business-to-business and business-to-consumer marketing?
No.
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
No state laws. Federal laws such as CAN-SPAM and TCPA apply.
What rules specifically deal with cookies?
No specific state laws.
What are the consequences of non compliance with data protections laws (including marketing laws)?
There is no state regulator except for the Minnesota Attorney General who may impose fines under the data breach notification statutes discussed above.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Minn. Stat. § 325E.64 Plastic Card Security Act
In 2007 Minnesota became the first state to incorporate a portion of the PCI-DSS into their state data security or data breach laws. Known as the Plastic Card Security Act, the Minnesota law was passed largely in response to the massive data breach at TJX Companies when card issuers were required to reissue millions of debit and credit cards. The Minnesota law prohibits anyone conducting business in Minnesota from storing sensitive information from credit and debit cards after the transaction has been authorised. The law also makes noncompliant entities liable for financial institutions costs related to cancelling and replacing credit cards compromised in a security breach. As a result, any business that is breached and is found to have been storing “prohibited” cardholder data (e.g., magnetic stripe, CCV codes, tracking data, etc.) are required to reimburse banks and other entities for costs associated with blocking and reissuing cards. This law also opens up the business to the potential of private lawsuits. This law applies to any “person or entity conducting business in Minnesota” that accepts credit cards, debit cards, stored value cards, or similar cards issued by financial institutions. Failure to comply with the law may result in the reimbursement to the card-issuing financial institutions for the “costs of reasonable actions” to both protect its cardholders’ information and to continue to provide services to its cardholders after the breach. Costs may be related to the notification, cancellation and reissuance, closing and reopening of accounts, stop payments, and refunds for unauthorised transactions. The financial institution may also bring an action itself to recover the costs of damages it pays to cardholders resulting from the breach.
What upcoming data protection developments should multinational organisations be aware of?
The MCPA is effective July 31, 2025.
Disclaimer:
© 2025, Lathrop GPM LLP. All rights reserved by Lathrop GPM LLP as author and the owner of the copyright in this chapter. Lathrop GPM LLP has granted to Multilaw non-exclusive worldwide license to use and include this chapter in this guide and to sublicense Lexis Nexis, a division of RELX Inc. and its affiliates certain rights to use and distribute this Guide.
The information in the International Data Protection Laws Guide provides a general overview at the time of publication and is not intended to be a comprehensive review of all legal developments nor should it be taken as opinion or legal advice on the matters covered. It is for general information purposes only and readers should take legal advice from a Multilaw member firm.