The Minnesota Consumer Data Privacy Act's (MCDPA's) application, definitions, consumer rights, and notice requirements were discussed in "Minnesota Consumer Data Privacy Act: Application, Definitions, Consumer Rights, and Notices." This article discusses the MCDPA's controller and processor responsibilities, security, controller-processor contracts, data protection assessments, de-identified data, and Minnesota attorney general enforcement.
MCDPA Controller Responsibilities
A controller must do the following.
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which such data are processed, which must be disclosed to the consumer.
Except as provided in the MCDPA, not process personal data for purposes that are neither reasonably necessary to, nor compatible with the purposes for which such personal data are processed, as disclosed to the consumer, unless the controller obtains the consumer's consent.
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities, which must be appropriate to the volume and nature of the personal data at issue.
Except as otherwise provided in the MCDPA, not process sensitive data concerning a consumer without obtaining the consumer's consent, or, in the case of the processing of personal data concerning a known child, without obtaining consent from their parent or lawful guardian, in accordance with the Children's Online Privacy Protection Act and its implementing regulations, rules, and exemptions.
Provide an effective mechanism for a consumer, or, in the case of the processing of personal data concerning a known child, their parent or lawful guardian, to revoke previously given consent under Minn. Stat. § 325M.16, subdivision 2, which must be at least as easy as the mechanism by which the consent was previously given, and, upon revocation of consent, cease to process the applicable data as soon as practicable, but not later than 15 days after the receipt of the request.
Not process the personal data of a consumer for purposes of targeted advertising, or sell the consumer's personal data, without the consumer's consent, under circumstances where the controller knows that the consumer is between the ages of 13 and 16.
Not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under Minn. Stat. § 325M.19.
Not process personal data on the basis of a consumer's or a class of consumers' actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, lawful source of income, or disability in a manner that unlawfully discriminates against the consumer or class of consumers with respect to the offering or provision of: housing, employment, credit, or education; or the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.
Not discriminate against a consumer for exercising any of the rights contained in the MCDPA including denying goods or services to the consumer, charging different prices or rates for goods or services, and providing a different level of quality of goods and services to the consumer. The immediately preceding sentence does not require a controller to provide a good or service that requires the consumer's personal data that the controller does not collect or maintain; or prohibit a controller from offering a different price, rate, level, quality, or selection of goods or services to a consumer, including offering goods or services for no fee, if the offering is in connection with a consumer's voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program.
MCDPA Processor Responsibilities
A processor is responsible under the MCDPA for adhering to the instructions of the controller and assisting the controller to meet its obligations under the MCDPA, and such foregoing assistance includes the following, taking into account the nature of the processing.
Assisting the controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to consumer requests to exercise their rights pursuant to Minn. Stat. § 325M.14; and
Also taking into account the nature of processing and the information available to the processor, assisting the controller in meeting its obligations in relation to the security of processing the personal data and in relation to the notification of a breach of the security of the system pursuant to Minn. Stat. § 325E.61, and providing information to the controller necessary to enable the controller to conduct and document any data privacy and protection assessments required by Minn. Stat. § 325M.18.
A processor must do the following.
Ensure that each person processing the personal data is subject to a duty of confidentiality with respect to the data; and
Engage a subcontractor only after providing the controller with an opportunity to object, and pursuant to a written contract in accordance with the Contract Requirements (as defined below) that requires the subcontractor to meet the obligations of the processor with respect to the personal data (the "Processor Confidentiality and Subcontractor Requirements").
Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.
MCDPA Security
Taking into account the context of processing, the controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures (collectively, the "Security Requirements").
MCDPA Controller-Processor Contracts
The processor's data processing procedures with respect to processing performed on behalf of the controller must be governed by a contract between the controller and the processor that is binding and clearly sets forth the following requirements (collectively, the "Contract Requirements").
Instructions for processing data;
Nature and purpose of the processing;
Type of personal data subject to processing
Duration of the processing;
The rights and obligations of both parties;
The Security Requirements, and the Processor Confidentiality and Subcontractor Requirements; and
The following are requirements.
At the choice of the controller, the processor must delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law;
Upon a reasonable request from the controller, the processor must make available to the controller all information necessary to demonstrate compliance with the obligations in the MCDPA; and
The processor must allow for, and contribute to, reasonable assessments and inspections by the controller or the controller's designated assessor. Alternatively, the processor may arrange for a qualified and independent assessor to conduct, at least annually and at the processor's expense, an assessment of the processor's policies and technical and organizational measures in support of the obligations under the MCDPA using an appropriate and accepted control standard or framework and assessment procedure for assessments as applicable. The processor must provide a report of an assessment to the controller upon request.
In no event must a contract relieve a controller or a processor from the liabilities imposed on them by virtue of their role in the processing relationship under the MCDPA.
Description of MCDPA Policies and Procedures
A controller must document and maintain a description of the policies and procedures that the controller has adopted to comply with the MCDPA. The description must include the following, where applicable (collectively, the "Description of MCDPA Policies and Procedures").
The name and contact information for the controller's chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the provisions of the MCDPA; and
The description of the controller's data privacy policies and procedures which reflect the requirements in Minn. Stat. § 325M.16, and any policies and procedures designed to do the following.
Reflect the requirements of the MCDPA in the design of the controller's systems;
Identify and provide personal data to a consumer as required by the MCDPA;
Establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities;
Limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed;
Prevent the retention of personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed, unless retention of the data is otherwise required by law or permitted under Minn. Stat. § 325M.19; and
Identify and remediate violations of the MCDPA.
MCDPA Data Privacy and Protection Assessments
A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data.
Processing of personal data for purposes of targeted advertising;
Sale of personal data;
Processing of sensitive data;
Processing activities involving personal data that present a heightened risk of harm to consumers; and
Processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of the following.
Unfair or deceptive treatment of, or disparate impact on, consumers;
Financial, physical, or reputational injury to consumers;
A physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or
Other substantial injury to consumers.
In addition, a data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.
A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of de-identified data and the reasonable expectations of consumers, and the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.
A data privacy and protection assessment must include the Description of MCDPA Policies and Procedures.
As part of a civil investigative demand, the Minnesota attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted thereby. The controller must make a data privacy and protection assessment available to the Minnesota attorney general upon a request made under Minn. Stat. § 325M.18(f). The Minnesota attorney general may evaluate the data privacy and protection assessments for compliance with the MCDPA. Data privacy and protection assessments are classified as nonpublic data, as defined by Minn. Stat. § 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the Minnesota attorney general under Minn. Stat. § 325M.18(f) does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.
Data privacy and protection assessments or risk assessments conducted by a controller for the purpose of compliance with other laws or regulations may qualify under Minn. Stat. § 325M.18 if the assessments have a similar scope and effect.
A single data protection assessment may address multiple sets of comparable processing operations that include similar activities.
MCDPA De-identified Data
The MCDPA does not require a controller or processor to do any of the following solely for purposes of complying with the MCDPA.
Re-identify de-identified data;
Maintain data in identifiable form, or collect, obtain, retain, or access any data or technology, in order to be capable of associating an authenticated consumer request with personal data; or
Comply with an authenticated consumer request to access, correct, delete, or port personal data pursuant to Minn. Stat. § 325M.14, subdivision 1, if all of the following are true regarding the controller.
Is not reasonably capable of associating the request with the personal data, or it would be unreasonably burdensome for the controller to associate the request with the personal data;
Does not use the personal data to recognize or respond to the specific consumer who is the subject of the personal data, or associate the personal data with other personal data about the same specific consumer; and
Does not sell the personal data to any third party or otherwise voluntarily disclose the personal data to any third party other than a processor, except as otherwise permitted in Minn. Stat. § 325M.15.
The rights contained in Minn. Stat. § 325M.14, subdivision 1, paragraphs (b) to (e) and (h) do not apply to pseudonymous data where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
A controller that uses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data are subject, and must take appropriate steps to address any breaches of contractual commitments.
A processor or third party must not attempt to identify the subjects of de-identified or pseudonymous data without the express authority of the controller that caused the data to be de-identified or pseudonymized.
A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers.
MCDPA Enforcement
Any controller or processor that violates the MCDPA is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. The Minnesota attorney general may bring a civil action against a controller or processor to enforce a provision of the MCDPA in accordance with Minn. Stat. § 8.31. If Minnesota prevails in an action to enforce the MCDPA, Minnesota may, in addition to penalties described in the immediately preceding sentence or other remedies provided by law, be allowed an amount determined by the court to be the reasonable value of all or part of Minnesota's litigation expenses incurred.
Until January 31, 2026, in the event that a controller or processor violates the MCDPA, the Minnesota attorney general, before filing an enforcement action under Minn. Stat. § 325M.20(b), must provide the controller or processor with a warning letter identifying the specific provisions of the MCDPA that the Minnesota attorney general alleges have been or are being violated. If, after 30 days of issuance of the warning letter, the Minnesota attorney general believes the controller or processor has failed to cure any alleged violation, the Minnesota attorney general may bring an enforcement action under Minn. Stat. § 325M.20(b).
Nothing in the MCDPA establishes a private right of action, including under Minn. Stat. § 8.31, subdivision 3a, for a violation of the MCDPA or any other law.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
The Minnesota Consumer Data Privacy Act's (MCDPA's) application, definitions, consumer rights, and notice requirements were discussed in "Minnesota Consumer Data Privacy Act: Application, Definitions, Consumer Rights, and Notices." This article discusses the MCDPA's controller and processor responsibilities, security, controller-processor contracts, data protection assessments, de-identified data, and Minnesota attorney general enforcement.
MCDPA Controller Responsibilities
A controller must do the following.
MCDPA Processor Responsibilities
A processor is responsible under the MCDPA for adhering to the instructions of the controller and assisting the controller to meet its obligations under the MCDPA, and such foregoing assistance includes the following, taking into account the nature of the processing.
A processor must do the following.
Determining whether a person is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A processor that continues to adhere to a controller's instructions with respect to a specific processing of personal data remains a processor.
MCDPA Security
Taking into account the context of processing, the controller and the processor must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between the controller and the processor to implement the technical and organizational measures (collectively, the "Security Requirements").
MCDPA Controller-Processor Contracts
The processor's data processing procedures with respect to processing performed on behalf of the controller must be governed by a contract between the controller and the processor that is binding and clearly sets forth the following requirements (collectively, the "Contract Requirements").
In no event must a contract relieve a controller or a processor from the liabilities imposed on them by virtue of their role in the processing relationship under the MCDPA.
Description of MCDPA Policies and Procedures
A controller must document and maintain a description of the policies and procedures that the controller has adopted to comply with the MCDPA. The description must include the following, where applicable (collectively, the "Description of MCDPA Policies and Procedures").
MCDPA Data Privacy and Protection Assessments
A controller must conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data.
In addition, a data privacy and protection assessment must take into account the type of personal data to be processed by the controller, including the extent to which the personal data are sensitive data, and the context in which the personal data are to be processed.
A data privacy and protection assessment must identify and weigh the benefits that may flow directly and indirectly from the processing to the controller, consumer, other stakeholders, and the public against the potential risks to the rights of the consumer associated with the processing, as mitigated by safeguards that can be employed by the controller to reduce the potential risks. The use of de-identified data and the reasonable expectations of consumers, and the context of the processing and the relationship between the controller and the consumer whose personal data will be processed, must be factored into this assessment by the controller.
A data privacy and protection assessment must include the Description of MCDPA Policies and Procedures.
As part of a civil investigative demand, the Minnesota attorney general may request, in writing, that a controller disclose any data privacy and protection assessment that is relevant to an investigation conducted thereby. The controller must make a data privacy and protection assessment available to the Minnesota attorney general upon a request made under Minn. Stat. § 325M.18(f). The Minnesota attorney general may evaluate the data privacy and protection assessments for compliance with the MCDPA. Data privacy and protection assessments are classified as nonpublic data, as defined by Minn. Stat. § 13.02, subdivision 9. The disclosure of a data privacy and protection assessment pursuant to a request from the Minnesota attorney general under Minn. Stat. § 325M.18(f) does not constitute a waiver of the attorney-client privilege or work product protection with respect to the assessment and any information contained in the assessment.
Data privacy and protection assessments or risk assessments conducted by a controller for the purpose of compliance with other laws or regulations may qualify under Minn. Stat. § 325M.18 if the assessments have a similar scope and effect.
A single data protection assessment may address multiple sets of comparable processing operations that include similar activities.
MCDPA De-identified Data
The MCDPA does not require a controller or processor to do any of the following solely for purposes of complying with the MCDPA.
The rights contained in Minn. Stat. § 325M.14, subdivision 1, paragraphs (b) to (e) and (h) do not apply to pseudonymous data where the controller is able to demonstrate any information necessary to identify the consumer is kept separately and is subject to effective technical and organizational controls that prevent the controller from accessing the information.
A controller that uses pseudonymous data or de-identified data must exercise reasonable oversight to monitor compliance with any contractual commitments to which the pseudonymous data or de-identified data are subject, and must take appropriate steps to address any breaches of contractual commitments.
A processor or third party must not attempt to identify the subjects of de-identified or pseudonymous data without the express authority of the controller that caused the data to be de-identified or pseudonymized.
A controller, processor, or third party must not attempt to identify the subjects of data that has been collected with only pseudonymous identifiers.
MCDPA Enforcement
Any controller or processor that violates the MCDPA is subject to an injunction and liable for a civil penalty of not more than $7,500 for each violation. The Minnesota attorney general may bring a civil action against a controller or processor to enforce a provision of the MCDPA in accordance with Minn. Stat. § 8.31. If Minnesota prevails in an action to enforce the MCDPA, Minnesota may, in addition to penalties described in the immediately preceding sentence or other remedies provided by law, be allowed an amount determined by the court to be the reasonable value of all or part of Minnesota's litigation expenses incurred.
Until January 31, 2026, in the event that a controller or processor violates the MCDPA, the Minnesota attorney general, before filing an enforcement action under Minn. Stat. § 325M.20(b), must provide the controller or processor with a warning letter identifying the specific provisions of the MCDPA that the Minnesota attorney general alleges have been or are being violated. If, after 30 days of issuance of the warning letter, the Minnesota attorney general believes the controller or processor has failed to cure any alleged violation, the Minnesota attorney general may bring an enforcement action under Minn. Stat. § 325M.20(b).
Nothing in the MCDPA establishes a private right of action, including under Minn. Stat. § 8.31, subdivision 3a, for a violation of the MCDPA or any other law.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.