Hunton Andrews Kurth writes:
On May 24, 2024, Governor Tim Walz signed H.F. 4757 into law, enacting the Minnesota Consumer Data Privacy Act (“MNCDPA” or “Act”). The MNCDPA will take effect on July 31, 2025.
Applicability
The MNCDPA applies to:
- Legal entities that conduct business in Minnesota or produce products or services that are targeted to residents of Minnesota, and that satisfy one or more of the following thresholds: (1) during a calendar year, controls or processes personal data of 100,000 consumers or more, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or (2) derives over 25 percent of gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.
- A controller or processor acting as a “technology provider” under Minnesota law (e., certain persons who contract with a public educational agency or institution).
The MNCDPA applies to Minnesota consumers (i.e., Minnesota residents who act only in an individual or household context and not in a commercial or employment context). The MNCDPA contains numerous exemptions, including exemptions for state or federally chartered banks or credit unions and certain affiliates or subsidiaries, certain insurance companies, nonprofit organizations established to detect and prevent insurance fraud, data subject to the Gramm-Leach-Bliley Act; PHI under HIPAA, and certain air carriers. Small businesses as defined by the U.S. Small Business Administration are exempt except from the Act’s sale of sensitive data requirements.
Read more at Privacy & Information Security Law Blog.