Minnesota's Comprehensive Privacy Law Takes Effect, Includes Novel Right to Question

"There are a few unusual requirements that are new in this law that you don't see in some of the other comprehensive privacy laws," Zachary Klein, a privacy attorney with Davis+Gilbert, told Privacy Daily. However, “a lot of these requirements are things companies should be doing anyway.” Still, for some businesses, he said, Minnesota’s law could be a "wake-up call."

Elizabeth Johnson, a Wyrick privacy attorney, said companies that comply with other states’ privacy laws and are comfortable with 80%-85% compliance are “probably in decent shape for Minnesota.” Johnson added that some items that are novel for a state comprehensive privacy law can be found in other statutes, including the Fair Credit Reporting Act (FCRA) and the Health Insurance Portability and Accountability Act (HIPAA).

At a press conference Monday, Minnesota Rep. Steve Elkins (D) said the “most important innovation” of the Minnesota Consumer Data Privacy Act that he authored is its unique consumer right to question profiling decisions that have a legal or similarly significant impact (see 2507280062).

The Minnesota law states: “If a consumer's personal data is profiled in furtherance of decisions that produce legal effects concerning a consumer or similarly significant effects concerning a consumer, the consumer has the right to question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future." It also allows consumers to review data used in the profiling. "If the decision is determined to have been based upon inaccurate personal data ... the consumer has the right to have the data corrected and the profiling decision reevaluated based upon the corrected data.”

That right to question is the Minnesota law’s “best feature,” Center for Democracy and Technology’s Matt Scherer wrote in an email. “It gives arguably the strongest rights in the country when it comes to explanations for automated decisions.”

“Consumers have the right to question the results of automated decisions and be informed not only of the reason for the decision, but also what they could have done to secure a different decision,” said Scherer, who leads CDT’s worker’s rights project. “They also get a right to access any personal data used in the personal decision and correct inaccurate data. That comes close to the rights consumers have long had under federal law for credit decisions, which were really the first types of major decisions to become largely automated.”

However, the consumer advocate noted that “the law has exemptions that makes this right somewhat less than meets the eye.” By excluding consumers acting in an employment context, the statute “carves out many of the most common use cases for algorithmic decisions.” Along similar lines, personal data doesn’t include publicly available data under the law, “and that exemption is defined very broadly,” said Scherer. “Arguably, it allows companies to scrape information from social media sites, for example, and use it in decisions without triggering the right to explanation.”

Complying With Minn. Consumer Rights

While Minnesota’s right to question is novel among states, it’s not unlike a right in FCRA, the federal law covering consumer reporting agencies, Johnson told us. What constitutes a legal or similarly significant effect -- the condition that triggers the consumer right -- isn’t defined in the Minnesota law, but other states have used the term before, said the Wyrick attorney. “It usually means, at a minimum, you've denied me insurance or health care or housing.”

The possible challenge for businesses will be setting up a way to facilitate consumer questioning, said Johnson. It could be especially tricky complying with the part that gives consumers a right to be informed of the actions that the business could have taken to get a different result, she said. “That’s just weird. It's a good thing this doesn't cover employees, because can you imagine the fishing expedition that would result?”

Even limited to consumers, “it's going to be a new horizon of figuring out how does a company describe this right,” Johnson said. “And then, when a person gets the results, managing the fallout is going to be interesting.”

Another notable consumer right in the Minnesota law is to obtain a list of specific third parties to whom personal data has been disclosed. Oregon requires that, too, but it’s still uncommon among states, which mostly require providing only categories of third parties, said Johnson. She noted that it’s also appeared in some other states’ bills that so far have failed to pass, so we may well be seeing a “mini-trend.”

Additional rights in Minnesota’s law are common in other states, such as:

• Confirm controller is processing personal data
• Access personal data
• Correct inaccuracies in personal data
• Delete personal data
• Obtain copies of personal data in a portable format
• Opt out of personal data sale, targeted advertising and profiling

New Rules on Material Changes, Data Inventories

Another novel feature of Minnesota’s privacy law relates to a business’ duty when it makes a material change to its privacy policy on what data is collected and how it’s used. Currently, in the U.S., companies are expected -- and under certain laws, required -- to provide notice, such as by an email saying the privacy policy has been updated, said Klein: But under the Minnesota law, companies have a heightened obligation to notify customers since it requires them to use “all reasonable electronic measures” to provide notice.

In addition, not only must companies notify consumers, but they have to provide them with a reasonable opportunity to withdraw consent from any materially different collection. That raises questions about how this requirement will be enforced because consent might not have been required in the first place to collect the data, said Klein: The law only requires opt-in consent in limited circumstances, such as when controllers intend to process sensitive data, while mere notice and sometimes the opportunity to opt-out are all that’s required for other kinds of data processing.

While the Minnesota law doesn’t define a “material change,” Klein suggested consulting the definition from Colorado Privacy Act regulations (Rule 6.04) as a guide for how other state regulators have viewed this concept.

“A big compliance challenge,” especially for a smaller company, will be Minnesota requirements to document compliance procedures and conduct a data inventory, added Klein. Unlike most other states, Minnesota codifies that companies must have policies on purpose limitation, data minimization and data retention. And by requiring businesses to include the name and contact info of a top privacy compliance official, the state effectively requires companies to have chief privacy officers (CPOs), he said.

“These are things they are going to subpoena in the event of an investigation," said Klein, who previously worked for the New Jersey attorney general’s office. He added that other states may also start to expect these compliance measures from companies, even if not codified under those states’ privacy laws. State AG offices often try to coordinate enforcement efforts, he said, “and in the event of a multi-state investigation, other states may take the position that implementing a data-retention policy, having a [CPO] or conducting a data inventory are implicitly required under their own state privacy or consumer protection laws.”

While a mid-investigation subpoena is one option, Johnson said “there’s no reason [enforcers] couldn’t just ask” companies for their data inventories as part of a broader enforcement sweep without there first being a complaint filed.

Johnson noted that many companies may already be doing much of what Minnesota is new to require. For example, some Wyrick clients include in their assessment process a question about how long data will be retained, she said.

Likewise, privacy advisers have long urged companies to conduct data inventories. Jodi Daniels, a consultant, wrote Wednesday in a LinkedIn post: “I've been talking for years [about] why data inventories are essential to complying with privacy laws. It's the foundation [of] any privacy program.”

Still, Johnson said many companies haven’t followed this advice. For businesses of all sizes, she said, “getting your governance process in-house to a place where you actually have an all-the-time accurate, true inventory is really, really difficult.”

17th State Law Comes Online

With Minnesota's privacy law, which was signed about a year ago (see 2405280038), 17 of 20 comprehensive state privacy laws are now in effect. Tennessee activated its privacy law on July 1 (see 2506300023). Maryland’s sweeping privacy law will take effect on Oct. 1, while additional measures go on the books in Kentucky and Rhode Island on Jan. 1.

Sen. Bonnie Westlin (D), who sponsored the privacy law in the Minnesota Senate, pointed to the continuing lack of a national law in a press release Tuesday. “As of today, our federal government still has not moved to ensure the privacy of all Americans online,” she said. “Big tech companies are bigger and wealthier than ever before, and we are their product. Our data is used and sold by these companies, and until now, we have had no control over where our data is or how it is used.”

Following a similar model to Connecticut and many other states, Minnesota’s statute covers for-profit entities that conduct business in the state and control or process personal data of at least 100,000 consumers or control or process data of at least 25,000 consumers and derive more than 25% of its revenue from selling personal data.

The law contains entity-level exemptions for governments and nonprofits that detect insurance fraud, plus a temporary exemption for higher education that expires July 31, 2029. Data-level exemptions include employee and B2B data and information covered by federal laws such as FCRA, HIPAA, the Gramm-Leach-Bliley Act, Driver's Privacy Protection Act and Family Educational Rights and Privacy Act.

Companies must support universal opt-out mechanisms under Minnesota’s law. Meanwhile, the new statute considers sensitive data requiring affirmative consent to include:

• Racial or ethnic origin
• Religious beliefs
• Mental or physical health diagnosis
• Sexual orientation
• Citizenship or immigration status
• Genetic or biometric data
• Children's data
• Specific geolocation data

Like other states’ privacy laws, Minnesota’s will be enforced solely by the state’s attorney general. A 30-day right to cure will sunset Jan. 31, 2026.