Senior Content Marketing Manager II
October 31, 2024â˘7 min read
The first step in addressing the Minnesota Consumer Data Privacy Act (MCDPA) is to figure out whether or not your business falls under its scope, as not all organizations will be affected.
The MCDPA applies to businesses that:
Certain exemptions apply, including government agencies and entities governed by specific federal regulations.
Minnesotaâs privacy law outlines several compliance obligations for businesses. We cover the most significant below:
Controllers must honor the following consumer rights:
Businesses subject to the law must implement processes that enable consumers to easily submit their requests. These mechanisms should also help the business respond to these requests quickly and efficiently.
Privacy solutions like Transcend DSR Automation can help.
Businesses must provide a clear and accessible privacy notice that includes:
This policy must be easy for a consumer to find and written in a way thatâs easy to understandâno unnecessary jargon or legalese!
Businesses must implement reasonable administrative, technical, and physical security measures to protect consumersâ personal data. This means establishing policies and procedures to manage data handling, ensuring that technical safeguards like encryption and access controls are in place, and securing physical environments where data is stored.
Before processing sensitive personal data, organizations must obtain opt-in consent. Recognizing the need for extra protection for younger users, the MCDPA also requires that organizations get opt-in consent before selling or sharing for targeted advertising the data of consumers under 13.
Organizations are also obligated to provide a straightforward and accessible method for consumers to revoke their consent at any time. This empowers consumers to have greater control over their personal information, safeguarding their privacy and ensuring their preferences are respected.
Controllers are required to establish contracts with processors that detail several critical aspects of their working relationship. These contracts must clearly outline the instructions for processing data, ensuring that every step is understood and followed precisely. They also need to guarantee the confidentiality of the data being handled to better safeguard sensitive information against unauthorized access.
Controllers are required to conduct thorough assessments for high-risk data processing activities. These activities include targeted advertising, the sale of personal data, and profiling activities that could have substantial effects on an individualâs life or livelihood.
Under the Minnesota Consumer Data Privacy Act, businesses must honor universal opt-out mechanisms (UOOM) like the Global Privacy Control (GPC) browser signal. By accommodating these universal preferences, businesses demonstrate a commitment to upholding consumer privacy rights and ensuring compliance with the MCDPA.
Minnesota's Consumer Data Privacy Act (MCDPA) shares several similarities with other state privacy laws, but it also sports a few distinctive elements. Here are some of the key differences:
The MCDPA grants consumers the unique right to challenge the outcomes of profiling. While other laws allow individuals to opt out of profiling for decisions that have significant impacts, Minnesota takes it a step further by allowing consumers to:
This provision enhances consumer awareness and control over automated decision-making processes.
Minnesota is the first state to mandate that covered entities create and maintain a data inventory. Although data mapping is regarded as a best practice in other jurisdictions, the MCDPA establishes it as a legal requirement, necessitating companies to keep "an inventory of data that must be managed to exercise these responsibilities."
In contrast to most state laws, the MCDPA allows consumers to request the identities of specific third parties to whom their personal data has been shared. If this isnât feasible, controllers must provide a list of specific third parties to whom any consumer's data has been disclosed.
The MCDPA takes anti-discrimination efforts a step further by explicitly banning the processing of personal data based on protected characteristicsâsuch as race, gender, or religionâin ways that unlawfully discriminate in important areas like housing, employment, credit, education, or public accommodations.
Minnesotaâs privacy law specifically prohibits processing personal data for targeted advertising when the controller knows that the consumer is aged between 13 and 16 years, unless opt-in consent is obtained.
The MCDPA introduces specific data security obligations, including:
Unlike many other state privacy laws, the MCDPA includes an exemption for small businesses as defined by the U.S. Small Business Administration.
The law also features much narrower exemptions for nonprofits compared to other state privacy laws, potentially making many nonprofit organizations subject to its requirements.
To prepare for compliance with the Minnesota Consumer Data Privacy Act, businesses can take several key steps:
To determine if your organization falls under the MCDPAâs scope, evaluate whether you control or process the personal data of 100,000 or more Minnesota consumers annually, or if you generate over 25% of your gross revenue from selling personal data while processing data for at least 25,000 Minnesota consumers
Create a comprehensive inventory of all personal data collected, detailing categories of data and their purposes for collection. Additionally, mapping data flows will help you understand how personal data moves through your data ecosystem, providing better insights on your data handling practices.
Learn more: Transcend Data Inventory and Structured Discovery
Implement mechanisms to obtain consent for processing sensitive data, ensuring that consent is freely given, specific, informed, and unambiguous. Itâs also important to provide clear and accessible opt-out options for data sales and targeted advertising.
Learn more: Transcend Consent Management
Establish processes to promptly fulfill consumer data requests. This includes requests to access personal data, correct inaccuracies, delete personal data, and obtain a list of third parties that have received their data.
Additionally, consumers should be able to opt out of personal data sales, targeted advertising, and profiling for decisions that have legal or significant impacts. Youâll also need to create an appeals process for any denied consumer requests.
Learn more: Transcend DSR Automation
Your privacy policy should clearly outline several key aspects, including the categories of personal data processed, the purposes for processing each category, and an explanation of consumer privacy rights along with instructions on how individuals can exercise these rights.
It should also specify the categories of personal data sold or shared with third parties, the types of third parties involved, the organization's contact information, data retention policies, the date of the last update, and whether data is sold or processed for targeted advertising or profiling.
Conduct and document assessments related to data protection for various activities, including targeted advertising, the sale of personal data, processing of sensitive data, and any processing activities that pose heightened risks to consumers, including profiling.
Learn more: Transcend Assessments
Your organization should establish and maintain reasonable administrative, technical, and physical security practices to protect personal data. Designating a chief privacy officer or an individual responsible for overseeing data protection will help ensure compliance and accountability.
Review and update contracts with data processors to include the necessary provisions mandated by the MCDPA. Itâs crucial you make sure that processors adhere to your instructions and maintain confidentiality in their handling of personal data.
To prevent unauthorized data processing, set up systems that recognize and respect universal opt-out signals like the Global Privacy Control. Make sure these mechanisms proliferate consumer preferences across your tech stack.
Transcend is the next-generation platform privacy and data governance. Encoding privacy at the code layer, we provide solutions for any privacy challenge your teams may be facingâincluding getting you ready for new legislation like Minnesota's data privacy law.
From Consent Management to DSR Automation to a full suite of data mapping solutions (Data Inventory, Silo Discovery, Structured Discovery, Unstructured Discovery, and more), Transcend has you covered as your company grows and evolves in a swiftly changing regulatory environment.
Senior Content Marketing Manager II