Law: Minnesota Consumer Data Privacy Act (MCDPA)

Regulator: The Minnesota Attorney General's Office (AG)

Summary: The MCDPA was approved by the Governor of Minnesota on May 24, 2024, and will enter into effect on July 31, 2025. The MCDPA marks the State's first comprehensive privacy legislation and establishes obligations for controllers and processors including requiring controllers to document and maintain a description of the policies and procedures adopted to comply with the MCDPA. The MCDPA also restricts the use of data and lays down obligations regarding vendor management and the conducting of data protection assessments. The MCDPA also provides consumer rights, including the right to confirmation, access, correction, deletion, and opt out, among others. The AG is granted exclusive authority to enforce the provisions of the MCDPA and does not provide for a private right of action.

Additionally, Minnesota is one of the few States that has a specific law on internet service providers (ISPs). In particular, Chapter 325M on Internet Privacy prohibits disclosure of personally identifiable information (PII) unless certain conditions apply and requires reasonable steps be taken to maintain the security and privacy of a consumer's PII. Furthermore, under §325E.61 of the Minnesota Statutes a breach of the security of a system must be communicated to affected residents without unreasonable delay and to consumer reporting agencies within 48 hours if the breach affected more than 500 residents.

You can follow legislative developments in the US through the USA State Law Tracker.