Recently, the United States has seen significant legislative progress in the realm of data privacy, continually reshaping the landscape. The Minnesota Consumer Data Privacy Act has been signed into law by the governor, while the Vermont Data Privacy Act was vetoed by Vermont’s governor. These actions underscore a growing trend of state-level initiatives aimed at enhancing consumer data protection in the absence of comprehensive federal legislation. This post delves into the key features of these two laws, their implications, and provides commentary on the broader context of data privacy regulation.

Minnesota Consumer Data Privacy Act

Made using GPT-40.

On May 24, 2023, Minnesota’s Governor Walz signed the Minnesota Consumer Data Privacy Act (“MCDPA”) into law.¹ The MCDPA introduces several critical provisions aimed at bolstering consumer rights and data protection.² The MCDPA applies to entities conducting business within the state or producing products or services targeted at Minnesota consumers if they meet one of the following criteria: (1) within a calendar year, control or process personal data of 100,000 consumers or more; or (2) derive 25 percent of gross revenue from the sale of personal data and process or control personal data of 25,000 consumers or more. Businesses subject to the MCDPA have until July 1, 2025, to come into compliance. 

Which Businesses Are Exempt?

Certain types of businesses are exempt including government entities, federal recognized Indian tribes, “small business” as defined by the U.S. Small Business Administration regulations, air carriers under the Airline Deregulation Act and certain kinds of banks, credit unions and insurance companies. 

Nonprofit organizations are not exempt except if they are “established to detect and prevent fraudulent acts in connection with insurance.” The MCDPA exempts data regulated by HIPAA the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Driver’s Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, the Minnesota Insurance Fair Information Reporting Act.

Here are the key highlights:

1. Consumer Rights: The MCDPA grants Minnesota residents the right to access, correct, delete, and obtain a copy of their personal data held by businesses. This empowerment of consumers is a significant step towards enhancing transparency and control over personal information.
2. Opt-Out Mechanism: Consumers have the right to opt out of the sale of their personal data and targeted advertising. This provision aligns with similar laws in states like California, giving consumers greater control over how their data is used by third parties.
3. Data Protection Assessments: Businesses are required to conduct data protection assessments for processing activities involving sensitive personal data or presenting a high risk to consumers’ privacy. This proactive measure aims to mitigate potential risks before they materialize.
4. Transparency Obligations: The MCDPA requires a “controller” to provide consumers with a privacy notice that includes specific disclosures such as:

The categories of personal data processed by the controller

The purposes for which such categories are processed;

An explanation of rights available under the MCDPA and how the consumer can exercise those rights;

The categories of personal data the controller sells or discloses with third parties;

The categories of third parties to whom personal data is sold or disclosed;

The controller’s contact information;

A description of the controller’s retention policies; and

The date the notice was last updated.

5. Sensitive Data: The MCDPA includes heightened protections for “sensitive data” such as biometric information, specific geolocation data, personal data of a child, and personal data relating to race, ethnic origin, religious beliefs, mental or physical health conditions, sexual orientation, citizenship, or immigration status. Sensitive data cannot be processed by a controller without first obtaining the consumer’s consent or, in the case of a child, consent from the parent or lawful guardian. Additionally, a controller must establish a mechanism for consumers to revoke their consent and must cease processing within 15 days after receiving a revocation notice. “Small businesses” that conduct business in Minnesota or target products or services to consumers are prohibited from selling sensitive data without prior consent.
6. Enforcement: The MCDPA does not provide a private right of action. The Minnesota attorney general is responsible for enforcement. Violations of the MCDPA are subject to injunctive relief and civil penalties of up to $7,500 per violation. Currently, the MCDPA requires the Minnesota Attorney General to provide a controller or processor with notice of the specific provisions of the MCDPA that it alleges have been violated and 30 days to cure the violations before bringing an enforcement action. This provision, however, expires on January 31, 2026.
7. Prohibition on Discrimination: Controllers are prohibited from processing personal data based on certain actual or perceived characteristics (e.g., race, color, ethnicity, religion, gender, etc.) in a way that would unlawfully discriminate against consumers regarding the granting of housing, employment, credit, education, or public accommodations. Controllers cannot discriminate against consumers for exercising any rights available under the MCDPA. A controller cannot refuse to provide a service or product, charge different prices or rates, or provide different quality goods or services because a consumer exercised rights under the MCDPA. This provision does not apply to certain bona fide loyalty and rewards programs.
8. Timing Requirements for Consumer Rights and Appeals: Controllers need to provide one or more secure and reliable methods for consumers to submit requests to exercise their rights. The controller must act no later than 45 days after receiving such a request. Under some circumstances, the controller may extend this period by an additional 45 days.

Vermont Data Privacy Act (VETOED)

Made using GPT-40.

Yesterday, Vermont’s Data Privacy Act (VDPA) was vetoed by Governor Scott and sustained by the Senate.³ The VDPA is considered a sweeping data privacy bill.⁴ Although in the first 171 years of state history there had only been six successful overrides of gubernatorial vetoes, yesterday, Vermont’s legislature set a new record by overriding six vetoes in one day, ultimately sustaining the data privacy bill.

Key provisions include:

1. Consumer Consent: The VDPA emphasizes the importance of obtaining explicit consumer consent before collecting, using, or sharing personal data. This consent-driven approach ensures that consumers are fully aware of how their data is being handled.
2. Data Minimization: Businesses are required to limit the collection of personal data to what is necessary for the specified purpose. This principle of data minimization reduces the risk of unnecessary data accumulation and potential misuse.
3. Privacy by Design: The VDPA mandates that businesses integrate data privacy measures into the design of their products and services. This forward-thinking approach aims to embed privacy into the core functionality of business operations.
4. Right to Data Portability: Consumers have the right to request the transfer of their personal data to another service provider. This provision enhances consumer autonomy and fosters competition among service providers.

The Broader Context

The passage of the Minnesota Consumer Data Privacy Act and the attempt to pass the Vermont Data Privacy Act reflect a growing recognition of the need for robust data privacy protections at the state level. As consumers become increasingly aware of their digital footprints and the potential risks associated with data breaches, there is a corresponding demand for stronger regulatory frameworks.

These state actions also highlight the patchwork nature of data privacy regulation in the United States. In the absence of a unified federal data privacy law, states are stepping in to fill the gap, leading to a diverse array of regulations that businesses must navigate. This can pose challenges for companies operating across multiple states, as they must comply with varying requirements.

However, state-level initiatives also serve as laboratories for data privacy regulation, providing valuable insights and models that could inform future federal legislation. The principles of consumer rights, data minimization, and privacy by design, as seen in the MCDPA and proposed in the VDPA, could form the foundation of a comprehensive national data privacy framework. As the digital landscape continues to evolve, it is crucial for lawmakers, businesses, and consumers to stay informed and engaged in the ongoing conversation about data privacy.

Thank you for reading my blog.

Kati

Made using GPT-40

1. Minnesota Becomes the Next State to Enact Comprehensive Data Protection Law, National Law Review, https://natlawreview.com/article/minnesota-becomes-next-state-enact-comprehensive-data-protection-law ↩︎
2. H.F. 4757, 93rd Leg., Reg. Sess. (Minn. 2024), https://www.revisor.mn.gov/bills/bill.php?b=house&f=HF4757&ssn=0&y=2024. ↩︎
3. Suzanne Smalley, Vermont’s Landmark Privacy Bill Killed as Legislature Fails to Override Veto, The Record, https://therecord.media/vermont-landmark-privacy-bill-killed. ↩︎
4. H.121, 2023-2024 Leg., Reg. Sess. (Vt. 2024), https://legislature.vermont.gov/bill/status/2024/H.120 ↩︎