New Minnesota Consumer Data Privacy Act is introduced

On Feb. 22, 2021, the “Minnesota Consumer Data Privacy Act” (MCDPA) was introduced in the Minnesota House of Representatives. The MCDPA is now the primary candidate to become Minnesota’s omnibus consumer privacy law.

The proposed MCDPA would add many layers of consumer privacy obligations to companies doing business in Minnesota, and is being closely watched by industry observers. Businesses across the country handling consumer personal data will continue to closely track developments with this bill during the next several weeks as it works its way through the legislative process.

To learn more about the MCDPA and privacy regulations, Security magazine spoke to attorney Nadeem Schwen, from Winthrop & Weinstine, who has been at the forefront of this bill’s creation and leads data privacy work for the firm.

Security: Are data privacy laws inevitable? Are there any that currently impact Minnesota businesses?

Schwen: We expect to see more and more states propose new bills and legislation for consumer data privacy protections in the coming months and years. With other states like Washington and Virginia pushing for change, the time is now for businesses to prepare for individual state data privacy acts as well as the CCPA and GDPR (if they haven’t already). Although there is still some uncertainty and pending amendments to the law, there are concrete steps that businesses can take today to drastically reduce the risk of fines, costly litigation, and other financial & PR nightmares.

Minnesota is now the latest state to take strides towards enacting an omnibus consumer data privacy law. On February 22, 2021, the “Minnesota Consumer Data Privacy Act” was introduced as HF 1492 by Rep. Steve Elkins (DFL) and Rep. Mohamud Noor (DFL) in the Minnesota House of Representatives.

The proposed Minnesota Consumer Data Privacy Act (“MCDPA”) is largely based on the 2021 version of the proposed Washington Privacy Act (SB 5062), and bears many similarities to the Virginia Consumer Data Protection Act (“CDPA”). Virginia’s CDPA was recently passed by the Virginia legislature and is headed for Gov. Ralph Northam’s desk this week, where it is expected to be signed into law. The MCDPA shifts Minnesota’s privacy debate away from the California Consumer Privacy Act (“CCPA”) model, and towards the approach making headway through the Washington legislature in 2021. While a different CCPA-styled privacy bill was introduced in Minnesota in January 2021 (HF 36) by Rep. Noor, he is now a co-sponsor of the proposed MCDPA. The MCDPA is now the primary candidate to become Minnesota’s omnibus consumer privacy law.

Security: Which businesses would the new MCDPA apply to?

Schwen: As introduced, the MCDPA would apply to companies doing business in Minnesota, including those that provide products or services to Minnesota residents, so long as these companies: (1) process personal data of at least 100,000 consumers; or (2) generate more than 25% of their gross revenue from the sale of personal data, while also processing the personal data of at least 25,000 Minnesota consumers. The MCDPA would also govern a wide range of activities related to the processing of consumer personal information, including creating a variety of consumer data rights. For example, the bill gives consumers a variety of consumer privacy rights, including the right to verify, correct, delete, access, and opt-out of processing of their personal data. It also sets forth the time frames and other conditions for companies to respond to these consumer requests, and further provides requirements for data protection assessments and consumer privacy notices.

Security: If this were to move forward, what changes would need to be made and penalties would there be?

Schwen: Enforcement of the MCDPA is by civil action brought by the attorney general, with injunctive relief available, as well as civil penalties of up to $7,500 for each violation. Like the proposed Washington Privacy Act, the proposed MCDPA does not currently include a private right of action. However, that may change during the course of the legislative session, as this is likely to be a hotly contested aspect of the bill, and amendments for a private right of action are already in the works. Moreover, while the proposed MCDPA does not specifically address facial recognition, a separate bill on that topic is expected to be introduced later this session by co-sponsor Rep. Mohamud Noor.

The proposed MCDPA would add many layers of consumer privacy obligations to companies doing business in Minnesota, and is being closely watched by industry observers. Businesses across the country handling consumer personal data should continue to closely track developments with this bill during the next several weeks as it works its way through the legislative process.

Security: What should businesses know about Data Privacy rights and protocols today - that could help prepare them for data privacy changes in the future?

Schwen: There are many lessons to be learned from GDPR and the CCPA that could help prepare businesses for tomorrow. Here is an example of the six things that businesses should keep in mind when working to implement new data privacy practices for Minnesota, California or the EU: https://www.winthrop.com/bold-perspectives/6-lessons-learned-from-the-gdpr-transition/

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

A head of state needs heart surgery at your facility. High-profile members of a national sports team are getting updated vaccinations. What do you do when you get the call?