The MCDPA does not apply to the following entities, activities, or types of information.
A government entity, as defined by Minn. Stat. § 13.02, subdivision 7a;
A federally recognized Indian tribe;
Information that meets the definition of the following.
Protected health information, as defined by and for purposes of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;
Health records, as defined in Minn. Stat. § 144.291, subdivision 2;
Patient identifying information for purposes of Code of Federal Regulations, title 42, part 2, established pursuant to United States Code, title 42, § 290dd-2;
Identifiable private information for purposes of the federal policy for the protection of human subjects, Code of Federal Regulations, title 45, part 46; identifiable private information that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by the International Council for Harmonisation; the protection of human subjects under Code of Federal Regulations, title 21, parts 50 and 56; or personal data used or shared in research conducted in accordance with any of such requirements;
Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986, Public Law 99-660, and related regulations; or
Patient safety work product for purposes of Code of Federal Regulations, title 42, part 3, established pursuant to United States Code, title 42, §§ 299b-21 to 299b-26 (collectively, Health Care-related Information);
Information that is derived from any Health Care-related Information, but that has been deidentified in accordance with the requirements for deidentification set forth in Code of Federal Regulations, title 45, part 164;
Information originating from, and intermingled to be indistinguishable with, any Health Care-related Information that is maintained by the following.
A covered entity or business associate, as defined by the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;
A healthcare provider, as defined in Minn. Stat. § 144.291, subdivision 2; or
A program or a qualified service organization, as defined by Code of Federal Regulations, title 42, part 2, established pursuant to United States Code, title 42, § 290dd-2;
Information that is the following.
Maintained by an entity that meets the definition of health care provider under Code of Federal Regulations, title 45, § 160.103, to the extent that the entity maintains the information in the manner required of covered entities with respect to protected health information for purposes of the Health Insurance Portability and Accountability Act of 1996, Public Law 104-191, and related regulations;
Included in a limited data set, as described under Code of Federal Regulations, title 45, part 164.514(e), to the extent that the information is used, disclosed, and maintained in the manner specified by that part;
Maintained by, or maintained to comply with the rules or orders of, a self-regulatory organization as defined by United States Code, title 15, § 78c(a)(26);
Originated from, or intermingled with, Gramm-Leach-Bliley Act Personal Data as defined below and that a licensed residential mortgage originator, as defined under Minn. Stat. § 58.02, subdivision 19, or residential mortgage servicer, as defined under Minn. Stat. § 58.02, subdivision 20, collects, processes, uses, or maintains in the same manner as required under the federal Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations; or
Originated from, or intermingled with, Gramm-Leach-Bliley Act Personal Data as defined below and that a nonbank financial institution, as defined by Minn. Stat. § 46A.01, subdivision 12, collects, processes, uses, or maintains in the same manner as required under the federal Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations;
Information used only for public health activities and purposes, as described under Code of Federal Regulations, title 45, part 164.512;
An activity involving the collection, maintenance, disclosure, sale, communication, or use of any personal data bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency, as defined in United States Code, title 15, § 1681a(f), by a furnisher of information, as set forth in United States Code, title 15, § 1681s-2, who provides information for use in a consumer report, as defined in United States Code, title 15, § 1681a(d), and by a user of a consumer report, as set forth in United States Code, title 15, § 1681b, except that information is only excluded hereunder to the extent that the activity involving the collection, maintenance, disclosure, sale, communication, or use of the information by the agency, furnisher, or user is subject to regulation under the federal Fair Credit Reporting Act, United States Code, title 15, §§ 1681 to 1681x, and the information is not collected, maintained, used, communicated, disclosed, or sold except as authorized by the Fair Credit Reporting Act;
Information that originates from, or is intermingled so as to be indistinguishable from, information described in the immediately preceding bullet point and that a person licensed under the Minnesota Regulated Loan Act collects, processes, uses, or maintains in the same manner as is required under the laws and regulations specified in in the immediately preceding bullet point;
Personal data collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act, Public Law 106-102, and implementing regulations, if the collection, processing, sale, or disclosure is in compliance with that law (collectively, Gramm-Leach-Bliley Act Personal Data);
Personal data collected, processed, sold, or disclosed pursuant to the federal Driver's Privacy Protection Act of 1994, United States Code, title 18, §§ 2721 to 2725, if the collection, processing, sale, or disclosure is in compliance with that law;
Personal data regulated by the federal Family Educational Rights and Privacy Act, United States Code, title 20, § 1232g, and implementing regulations;
Personal data collected, processed, sold, or disclosed pursuant to the federal Farm Credit Act of 1971, as amended, United States Code, title 12, §§ 2001 to 2279cc, and implementing regulations, Code of Federal Regulations, title 12, part 600, if the collection, processing, sale, or disclosure is in compliance with that law;
Data collected or maintained as the following.
In the course of an individual acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of a business if the data is collected and used solely within the context of the role;
As the emergency contact information of such foregoing individual if used solely for emergency contact purposes; or
That is necessary for the business to retain to administer benefits for another individual relating to such foregoing individual if used solely for the purposes of administering those benefits;
Personal data collected, processed, sold, or disclosed pursuant to the Minnesota Insurance Fair Information Reporting Act, Minn. Stat. §§ 72A.49 to 72A.505;
Data collected, processed, sold, or disclosed as part of a payment-only credit, check, or cash transaction where no data about consumers, as defined in Minn. Stat. § 325M.11, are retained;
A state or federally chartered bank or credit union, or an affiliate or subsidiary that is principally engaged in financial activities, as described in United States Code, title 12, § 1843(k);
An insurance company, as defined in Minn. Stat. § 60A.02, subdivision 4, an insurance producer, as defined in Minn. Stat. § 60K.31, subdivision 6, a third-party administrator of self-insurance, or an affiliate or subsidiary of any entity identified in this bullet point that is principally engaged in financial activities, as described in United States Code, title 12, § 1843(k), except that this bullet point does not apply to a person that, alone or in combination with another person, establishes and maintains a self-insurance program that does not otherwise engage in the business of entering into policies of insurance;
A small business, as defined by the United States Small Business Administration under Code of Federal Regulations, title 13, part 121, except that a small business identified in this bullet point is subject to Minn. Stat. § 325M.17;
A nonprofit organization that is established to detect and prevent fraudulent acts in connection with insurance; and
An air carrier subject to the federal Airline Deregulation Act, Public Law 95-504, only to the extent that an air carrier collects personal data related to prices, routes, or services and only to the extent that the provisions of the Airline Deregulation Act preempt the requirements of the MCDPA.
The obligations imposed on controllers or processors under the MCDPA do not restrict a controller's or a processor's ability to do the following.
Comply with federal, state, or local laws, rules, or regulations, including but not limited to data retention requirements in state or federal law notwithstanding a consumer's request to delete personal data;
Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
Cooperate with law enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
Investigate, establish, exercise, prepare for, or defend legal claims;
Provide a product or service specifically requested by a consumer; perform a contract to which the consumer is a party, including fulfilling the terms of a written warranty; or take steps at the request of the consumer prior to entering into a contract;
Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or of another natural person, and where the processing cannot be manifestly based on another legal basis;
Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
Assist another controller, processor, or third party with any of the Non-restricted Obligations as defined below;
Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, human subjects research ethics review board, or a similar independent oversight entity that has determined the following.
The research is likely to provide substantial benefits that do not exclusively accrue to the controller;
The expected benefits of the research outweigh the privacy risks; and
The controller has implemented reasonable safeguards to mitigate privacy risks associated with research, including any risks associated with reidentification; or
Process personal data for the benefit of the public in the areas of public health, community health, or population health, but only to the extent that the processing is as follows.
Subject to suitable and specific measures to safeguard the rights of the consumer whose personal data is being processed; and
Under the responsibility of a professional individual who is subject to confidentiality obligations under federal, state, or local law (collectively, Non-restricted Obligations).
The obligations imposed on controllers or processors under the MCDPA do not restrict a controller's or processor's ability to collect, use, or retain data to do the following.
Effectuate a product recall or identify and repair technical errors that impair existing or intended functionality;
Perform internal operations that are reasonably aligned with the expectations of the consumer based on the consumer's existing relationship with the controller, or are otherwise compatible with processing in furtherance of the provision of a product or service specifically requested by a consumer or the performance of a contract to which the consumer is a party; or
Conduct internal research to develop, improve, or repair products, services, or technology.
The obligations imposed on controllers or processors under the MCDPA do not apply where compliance by the controller or processor with the MCDPA would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication.
Obligations imposed on controllers and processors under the MCDPA do not do the following.
Adversely affect the rights or freedoms of any persons, including exercising the right of free speech pursuant to the First Amendment of the United States Constitution; or
Apply to the processing of personal data by a natural person in the course of a purely personal or household activity.
A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of the MCDPA is not in violation of the MCDPA if the recipient processes the personal data in violation of the MCDPA, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the MCDPA is not in violation of the MCDPA for the obligations of the controller or processor from which the third-party controller or processor receives the personal data.
Personal data that are processed by a controller pursuant to Minn. Stat. § 325M.19 may be processed solely to the extent that the processing is as follows.
Necessary, reasonable, and proportionate to the purposes listed in Minn. Stat. § 325M.19;
Adequate, relevant, and limited to what is necessary in relation to the specific purpose or purposes listed in Minn. Stat. § 325M.19; and
Insofar as possible, taking into account the nature and purpose of processing the personal data, subjected to reasonable administrative, technical, and physical measures to protect the confidentiality, integrity, and accessibility of the personal data, and to reduce reasonably foreseeable risks of harm to consumers. If a controller processes personal data pursuant to an exemption in Minn. Stat. § 325M.19, the controller bears the burden of demonstrating that the processing qualifies for the exemption and complies with the foregoing requirements.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.
The first article in this series is "Minnesota Consumer Data Privacy Act: Application, Definitions, Consumer Rights, and Notices." The second article is "Minnesota Consumer Data Privacy Act: Controllers, Processors, and Enforcement." This final article discusses exceptions to the Minnesota Consumer Data Privacy Act (MCDPA).
The MCDPA does not apply to the following entities, activities, or types of information.
The obligations imposed on controllers or processors under the MCDPA do not restrict a controller's or a processor's ability to do the following.
The obligations imposed on controllers or processors under the MCDPA do not restrict a controller's or processor's ability to collect, use, or retain data to do the following.
The obligations imposed on controllers or processors under the MCDPA do not apply where compliance by the controller or processor with the MCDPA would violate an evidentiary privilege under Minnesota law and do not prevent a controller or processor from providing personal data concerning a consumer to a person covered by an evidentiary privilege under Minnesota law as part of a privileged communication.
Obligations imposed on controllers and processors under the MCDPA do not do the following.
A controller or processor that discloses personal data to a third-party controller or processor in compliance with the requirements of the MCDPA is not in violation of the MCDPA if the recipient processes the personal data in violation of the MCDPA, provided that at the time of disclosing the personal data, the disclosing controller or processor did not have actual knowledge that the recipient intended to commit a violation. A third-party controller or processor receiving personal data from a controller or processor in compliance with the requirements of the MCDPA is not in violation of the MCDPA for the obligations of the controller or processor from which the third-party controller or processor receives the personal data.
Personal data that are processed by a controller pursuant to Minn. Stat. § 325M.19 may be processed solely to the extent that the processing is as follows.
Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.