The flurry of 2024 U.S. comprehensive state privacy law activity remains in full swing as Minnesota became the latest state to position itself to join the ever-growing patchwork of legislation.
The Minnesota Legislature granted final passage 19 May to a wide-ranging omnibus bill containing the state's take on comprehensive privacy legislation. The bill covers entities controlling or processing personal data on 100,000 consumers or derive 25% of revenue from selling the data of more than 25,000 consumers.
State Rep. Steve Elkins, D-Minn., who spent the last five years crafting legislation after first introducing a 2018 bill modeled after the original Washington Privacy Act proposal, initially proposed the bill as a standalone measure before agreeing to incorporate it into the omnibus. If enacted by the governor, the proposed law would take effect 31 July 2025.
"I'm proud of the final state of this legislation, and I am confident that the over one hundred stakeholders involved in this work will be able to implement these new regulations effectively," Elkins said in a 10 May statement marking the omnibus' passage out of the Minnesota House.
Core provisions of Minnesota's proposal largely track with existing state privacy laws, but within those familiar foundations are notable wrinkles covered entities may need to adjust to.
Notable to privacy professionals under Minnesota's proposed requirements for data privacy notices and data protection assessments is an implied obligation to appoint a chief privacy officer or organizational privacy lead. Covered entities are tasked with providing the name and contact information of the "chief privacy officer or other individual with primary responsibility for directing the policies and procedures."
The bill also contains novel consumer rights and subsequent business obligations around profiling practices. Consumers can request information regarding a profiling decision carried out against them, including the reasoning behind a particular profiling decision and access to the data used to reach the the decision.
The way Minnesota handles exemptions is also unique. Small businesses defined by the U.S. Small Business Administration are exempt from the law. There are no full exemptions for businesses covered by the Health Insurance Portability and Accountability Act or the Gramm-Leach-Bliley Act, however, there are targeted exemptions for health and financial data processing.
Key provisions shared between Minnesota's bill and comprehensive statutes in other states vary. Common threads to Minnesota from a majority of enacted laws include recognition of universal opt-out mechanisms, required data protection assessments, exclusive attorney general enforcement and a 30-day right to cure that sunsets in 2026.
There are some provisions that correlate more directly with particular states. Minnesota adopted Oregon's consumers' right to transparency around "a list of the specific third parties to which the controller has disclosed the consumer’s personal data." Requirements around anti-discrimination track with Maryland's comprehensive law, as Minnesota clearly identifies categories of sensitive data that cannot be processed.
The U.S. is approaching a record number of states to pass comprehensive privacy legislation in a single year. Minnesota is the seventh state this year to pass legislation through the legislature. Enactment by Minnesota and Vermont would help 2024's total match the seven comprehensive state laws enacted in 2023.
