Listen to this post

Minnesota’s governor has now signed into law that state’s comprehensive privacy law. For those keeping count – that is number 19 of state “comprehensive” privacy laws, with six in 2024 alone. The Minnesota law will go into effect on July 31, 2025, thirty days after Tennessee’s.

Minnesota’s law tracks closely to the same foundations found in other states, but does have small variations. For a recap of all of the US state privacy laws and their obligations you can visit our interactive tool. Key provisions include:

  • Applicability. The law will apply to businesses that either (1) process personal data of at least 100,000 Minnesota consumers or (2) control or process personal data of at least 25,000 consumers and derive more than twenty-five percent of gross revenue from the sale of personal data. Minnesota’s law mirrors all other states (except California) and defines “consumer” to exclude those in an employment or commercial context. The law also exempts certain information and certain entities, like banks and credit unions. Like Texas and Nebraska, small businesses are also exempt. Like Utah, Minnesota’s law exempts tribes. Information collected under HIPAA and GLBA is also exempt from the law.
  • Collection and Notice Obligations. While the obligations regarding privacy policy notices is mostly similar to other states, Minnesota will also require describing data retention in privacy policies.[1] Businesses will also need to notify consumers of material changes and give consumers a “reasonable” opportunity to withdraw consent. Like Maryland, Minnesota’s law has a non-discrimination provision. Companies cannot collect, use, or process information in a way that “unlawfully discriminates” against someone.
  • Sensitive information. Businesses that process the sensitive information of Minnesota residents will need to first get consent. The list of information deemed “sensitive” is familiar and aligns with other state laws. It includes consumers’ religion, sexual orientation, and health diagnoses. Though small businesses are generally exempt from the law, they cannot sell sensitive information without a consumer’s consent. This echoes Texas and Nebraska.
  • Consumer rights. Minnesota consumers will enjoy the same rights (access, correction, deletion) provided by other state laws. In addition, they can opt out of decisions based on profiling. Consumers can also review the information that the business used to make the decision, correct any inaccuracies, and ask for reevaluation. Timing for processing rights will be 45 days. Authorized agents can submit requests on a consumer’s behalf in certain circumstances. Businesses will need to comply with universal online opt-out mechanisms. Records of all appeals and responses must be kept for 24 months and the Attorney General can request copies of these records.
  • Opt-outs mechanism. Businesses that engage in targeted advertising, the sale of personal data, or profiling will need to give Minnesota residents notice and the ability to opt out of those activities.
  • Data Protection Impact Assessments. Like all states except Iowa and Utah, businesses must conduct data protection impact assessments if processing data presents a heightened risk to consumers. This includes processing consumer data for targeted advertising, risky profiling, selling consumer data, or processing sensitive information.
  • Record Keeping. Businesses must document and maintain a description of the policies and procedures they have adopted to comply with the Minnesota privacy law. This includes the name and contact information for the individual with responsibility for the policies as well as how compliant policies have been implemented.

Like other states, consumers will not have a private right of action. The Minnesota Attorney General’s office will be responsible for enforcement. The law contains a 30-day cure period which is set to expire on January 31, 2026. There are no provisions for additional rulemaking.

Putting it Into Practice: As more privacy laws are passed and go into effect, companies will want to take stock of their privacy programs. Are they sufficiently adaptable to take into account these new obligations? And do they otherwise think beyond “comprehensive” privacy laws?

FOOTNOTES

[1] 325O.07(1)(a)(7).