On May 19, 2024, Minnesota officially joined the ranks of states enacting robust data privacy protections for consumers. The Minnesota Consumer Data Privacy Act (HF 4757 / SF 4782) was approved by the state legislature and is headed to the governor's desk for expected signature into law.
The landmark legislation grants Minnesota residents a sweeping set of rights regarding how companies collect and use their personal data. Key provisions include:
- The right for consumers to access, delete, correct, and obtain copies of their personal information held by businesses
- Opt-out rights for the sale of personal data, targeted advertising, and profiling
- Requirements for businesses to conduct data protection assessments
- Non-discrimination against consumers who exercise their rights
The new law applies to for-profit companies conducting business in Minnesota that meet certain revenue and data processing thresholds. It establishes one of the strongest data privacy frameworks in the nation, drawing from aspects of laws such as Europe's GDPR, California's CCPA/CPRA, and Virginia's CDPA.
There are now 15 states—California, Virginia, Connecticut, Colorado, Utah, Iowa, Indiana, Tennessee, Oregon, Montana, Texas, Delaware, Florida, New Jersey, and New Hampshire—that have comprehensive data privacy laws in place. Laws of this type generally apply across industries, with exceptions for certain data categories and entity types, and grant rights to individuals pertaining to the collection, use, and disclosure of their personal data by businesses.
Narrow consumer privacy bills that address a range of issues—including protecting biometric identifiers and health data or governing the activities of specific entities like data brokers or internet service providers—have been introduced in several states, as well.
"The Minnesota Consumer Data Privacy Act is a huge step forward in giving residents more transparency and control over their personal information in the digital age," said Leigh Nakanishi, Executive Director of the Minnesota Center for Digital Rights. "No longer will companies be able to indiscriminately collect, use, and sell people's data without their clear permission."
The rising tide of state data privacy regulations reflects growing public concern over the largely unregulated handling of personal data by companies, apps, and websites. Without federal legislation, the patchwork of state laws aims to give consumers more rights and set clearer boundaries for businesses.
Consumer advocates argue that these comprehensive state acts are vital for data protection in an era when personal info has become immensely valuable. But industries like advertising tech have pushed back, citing compliance challenges for companies operating across multiple state privacy regimes.
"The Minnesota law continues what is a growing trend in the U.S. of state-specific comprehensive privacy laws. It borrows from a variety of different approaches taken by different states. Uniquely, it carves out small businesses, as defined under the U.S. Small Business Administration (which aligns with the Texas privacy law)," said Jordan Fischer, Cyber Attorney and Partner at Constangy, Brooks, Smith & Prophete, LLP. "It also includes exemptions that appear to be becoming standard in these privacy laws for federal laws such as HIPAA and GLBA. However, these are not entity level exemptions, and instead only appear to exist at the data level."
Experts expect more states to follow suit and introduce their own data privacy bills, increasing pressure on Congress to potentially pursue a federal data privacy framework that would supersede state laws. For now, navigating this evolving regulatory landscape remains a major challenge for businesses operating nationwide.
Implications of provision asking for Chief Privacy Officer
The Minnesota Consumer Data Privacy Act (CDPA) includes a provision that implies organizations will need to designate a Chief Privacy Officer or similar lead privacy personnel to oversee compliance efforts. Here's some more detail on what this entails and the implications.
The relevant section of the law states that companies must provide "the contact details of the controller's designated privacy protection officer or other identifiable corporate employee...." While it doesn't explicitly mandate having a dedicated Chief Privacy Officer (CPO) role, legal experts interpret this as an implied requirement for organizations to assign a specific individual to lead their data privacy program and serve as the point of contact.
"Organizations have long struggled with whether and when to designate a Chief Privacy Officer to their ranks, where that role should sit (in compliance, legal, or other department), and who the CPO or privacy official should report to and be accountable for," said Myriah Jaworski Esq., CIPP/E, CIPP/US, Member, Data Privacy & Cybersecurity, Clark Hill Law. "Minnesota's new privacy law makes clear: the time is now. Helpfully, the law also sets forth a minimum of expected responsibilities of a CPO, which should play a role in setting a baseline for the CPO role, similar to what we saw with the development of the CISO role over the last two decades."
This designated privacy officer or lead privacy personnel would be responsible for operationalizing the organization's data privacy practices in line with the new law's requirements around data processing, consumer rights fulfillment, risk assessments, and more. Their duties would likely include:
- Developing and maintaining data maps/inventories of personal information
- Implementing processes for honoring consumer opt-outs, access, and deletion requests
- Conducting data protection impact assessments
- Evaluating third-party data sharing for compliance
- Training employees on data privacy practices
- Serving as the contact for consumer inquiries and complaints
- Advising leadership on data privacy obligations and risks
For larger enterprises, this likely means creating a formal CPO position at the C-suite level, similar to roles already established for compliance with GDPR, CCPA, and other data protection laws. Smaller organizations may be able to designate an existing employee to take on lead privacy responsibilities.
Regardless of company size, having clear leadership and oversight for data privacy efforts has become an operational necessity in this increasingly regulated environment. Having dedicated privacy personnel helps centralize expertise, authority, and accountability.
"The harder and emerging question, of course, is if privacy breaches become the new security breach, will privacy officers be under the same scrutiny and potential liability as CISOs, and is there anything we can learn from CISO liability to better place and protect CPOs in their roles now?" Jaworski added.
[RELATED: Uber CSO Found Guilty: The Sky Is Not Falling... Yet]
Public sector organizations like state agencies, cities, and schools will also need to evaluate how to fulfill this privacy personnel requirement, which could require new hires or reassigning existing roles and responsibilities.
Failure to properly designate a privacy lead could open organizations up to potential enforcement actions and fines for non-compliance under the Minnesota CDPA once it goes into effect. Consumer privacy is now a mission-critical function that requires appropriate resourcing.
Overall, this privacy officer provision in Minnesota's new law aims to ensure data privacy doesn't become an afterthought, but has a clear authority empowered to develop and enforce compliant data practices across the organization. For many, it will require a renewed look at privacy staffing and governance.
Despite some resistance, the Minnesota Consumer Data Privacy Act shows the steady momentum behind this consumer-centric movement. Residents can look forward to having new rights go into effect starting in mid-2025. Specifically, the bill's effective date is July 31, 2025, except that postsecondary institutions regulated by the Office of Higher Education are not required to comply until July 31, 2029.
"Assuming the governor signs the law, it will go into effect in 2025," Fischer said. "So, businesses do have time to understand the nuances under the new Minnesota law, and to develop a plan to use existing privacy strategies, or start a path down privacy compliance, before the law goes into effect."
