Minnesota is throwing its hat into the ring as the latest state to move towards implanting a comprehensive consumer data privacy law for its residents with the Minnesota Consumer Data Privacy Act (“MCDPA”) being introduced in the Minnesota House of Representatives earlier this week. The full text of the bill can be read here: HF 1492. The proposed MCDPA is similar to laws currently under review in Washington and Virginia, but there are nuances that every company doing business in Minnesota needs to know.
What companies will be affected by MCDPA?
As introduced, the MCDPA would apply to companies doing business in Minnesota, including those located outside of the state that provide products or services to Minnesota residents, so long as these companies:
(1) process personal data of at least 100,000 consumers; or
(2) generate more than 25% of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 Minnesota consumers.
As those familiar with the California Consumer Privacy Act (“CCPA”) will note, there is no revenue component for MCDPA; the brightline thresholds are concerned with the amount of data captured without regard to revenues generated by companies. Similar to CCPA, the MCDPA provides for an “or” test, meaning that if a company exceeds any threshold, they’re in scope.
What rights will be granted by MCDPA?
Similar to other major data privacy laws around the globe, the MCDPA creates a number of consumer privacy rights, including the right to verify, correct, delete, access, and opt-out of processing of their personal data. It also sets forth the time frames and other conditions for companies to respond to these consumer requests, and further provides requirements for data protection assessments and consumer privacy notices.
What are the penalties for noncompliance?
Enforcement of the MCDPA will be done by the state’s Attorney General, as the current draft of the bill does not include a private right of action. MCDPA provides for both injunctive relief, as well as civil penalties of up to $7,500 for each violation.
The proposed MCDPA would be yet another privacy law with which businesses need to comply, and the nuances of each law exclude the possibility for a one-size-fits-all solution. Implementing a flexible approach will be key to compliance efforts as additional laws around the country and globe continue to be implemented.
How Can Clym Help?
Clym believes in striking a balance between legal compliance and business needs, which is why we provide a cost-effective, scalable and flexible platform to comply with GDPR, CCPA, LGPD and other laws as they come online. Our platform provides consumers with an effective and easy-to-navigate way to opt-out of data collection while not infringing upon the website UI that businesses rely on to drive revenues. Contact us today about how your company can implement Clym to help manage your data privacy regulation compliance from a global perspective.