6.4.24

Minnesota will join 17 others states across the nation with the passage of the Minnesota Consumer Data Privacy Act (MCDPA) on May 19, 2024. The legislation, signed by Governor Walz last month, goes into effect on July 31, 2025, for most entities subject to the law. Postsecondary institutions will have until July 31, 2029, to comply.

Generally, the MCDPA aligns with other state laws that have been passed in the last couple of years. One big note of caution to readers is that not all state comprehensive privacy laws default under a threshold set by California. I have observed a tendency for companies I work with to assume that the CCPA/CPRA is the high bar. However, state comprehensive privacy laws emerging over the last couple of years have nuances that must be considered when establishing new programs or updating existing ones. Each law must be reviewed to ensure there are not any updates required to existing programs or whether your company that previously didn’t fall under the requirements of any other existing law has become subject to the new law.

For those companies that already have established programs, here are some nuances in the MCDPA worth noting that will require review and potentially updates:

  1. Unique provisions for profiling practices- consumer rights and business obligations
  2. Provision to document and maintain a description of policies and procedures used to comply with MCDPA
  3. A provision for data privacy and protection assessment when, among other things, processing involves a “heightened” risk (undefined in MCDPA)
  4. Identification and documentation of an individual with primary responsibility for directing the policies and procedures (mentions “chief privacy officer”)

For companies not subject to state comprehensive privacy laws currently, there’s some additional nuances under the MCDPA to consider that could change your applicability status. For example:

  1. There is no blanket exception for entities compliant with HIPAA or GLBA. The MCDPA takes a different approach that focuses more on the data types and specific processing activities.
  2. Small businesses that meet the SBA definition are generally excluded, except that they must still obtain consent before selling sensitive data.
  3. Non-profits are not exempt unless the non-profit is established to detect and prevent fraudulent acts in connection with insurance.

Beyond just the MCDPA, companies collecting or processing information should pay attention to all the latest developments in the privacy law space. To help align privacy programs to the influx of new and changing obligations, companies should deploy some basic common practices to adapt to changing circumstances. Here are a few quick tips to help manage compliance with comprehensive privacy laws generally with some specific MCDPA references mixed in:

Know Your Data

Know what data your company collects or processes, why you collect that information, how it supports your business process, and what you do with that information. MCDPA requires a documented data inventory. Doing this properly can help with decision making in minimizing data collection, eliminating places where data is stored, and helping to decide whether that data should even be collected in the first place. The result could be a reduction in your attack surface thereby minimizing compliance exposure and helping to manage security risk. Privacy teams should work closely with IT security (if separate departments, of course) as basic concepts like inventory of data and equipment are security best practices. If these do not exist in your company currently, it would be good to establish them together.

Don’t Unnecessarily Reinvent the Risk Assessment Wheel

Develop or rework existing risk assessments to be data centric and focus on protecting key processes associated with protected data. This will help prioritize the never-ending list of to-dos for security and help with complying with reasonable data protection requirements in comprehensive state laws. Also, there is an opportunity for companies to leverage a common risk assessment for complying with data privacy and impact assessments. For example, the MCDPA specifically states that data protection assessments or risk assessments conducted for compliance with other laws or regulations may satisfy the obligation under the MCDPA.

Manage Third Parties

Understand and take third party dependencies seriously. Whether using a data processor or relying on a third-party vendor, third parties are a key risk area that every company must understand and manage properly. The first two tips help with this and can mitigate risk in more ways than just satisfying a compliance obligation. Laws like the MCDPA provide a perfect opportunity to tighten the reins on third parties.  For example, the MCDPA contains provisions for processors to implement security measures appropriate to the level of risk. Weak risk assessments could yield weak requirements on risky processors.

Avoid Creating Silos

Consolidate policies and procedures to avoid creating silos. Since the MCDPA specifically calls out a list of policies and procedures for complying with the law, there could be a reaction to just create MCDPA specific policies and procedures to check the box. However, this type of action only creates more problems when considering other compliance obligations and greatly increases the risk of those policies and procedures not being followed. Take the opportunity to implement effective policies and procedures specific to your company and avoid the tendency to just pull a template from online and swap out a name for the sake of compliance.

In conclusion, the MCDPA is not the last of the state comprehensive privacy laws. The legislature in Vermont also passed a new comprehensive privacy law that awaits its governor’s signature. Once signed, Vermont will shake up the entire country with its private right of action. At least 10 other states are also actively considering legislation, and, at the federal level, the American Privacy Rights Act (APRA) continues to receive consideration. Frankly, the federal government may have missed its opportunity two years ago as the wave of state level legislation only makes passage of a federal law more difficult. As the wave continues, hopes for a single federal law fade and companies should adapt to the reality that this complex network of state level legislation is here to stay for a while.

About: Jerrod Montoya leads the data protection practice at Truvantis, a cybersecurity and data protection company. Jerrod helps companies of all sizes navigate the complicated world of data protection and its intersection with cybersecurity.