The Decentralized Approach to Data Privacy in the U.S.
In the United States, the lack of a federal data privacy law has led to an increasingly complex and fragmented landscape of state-level regulations.
While other countries, such as those in the European Union, have adopted comprehensive data privacy frameworks like the General Data Protection Regulation (GDPR), the U.S. has been slower to act at the federal level. Instead, states have taken the initiative, introducing their own privacy laws to protect consumers’ personal data.
This trend started with California’s pioneering California Consumer Privacy Act (CCPA) in 2018, a landmark law that set the tone for state-led data privacy efforts and inspired many subsequent regulations across the country. As federal lawmakers struggle to pass a unified law, more and more states are crafting their own privacy frameworks, creating a patchwork of rules that businesses must navigate.
California’s CCPA was the first comprehensive state privacy law, granting consumers rights to access, delete, and control the sale of their personal information. It has since evolved into the California Privacy Rights Act (CPRA), which expands on the original CCPA by giving consumers additional rights and establishing the California Privacy Protection Agency to enforce the law. California’s leadership in data privacy sparked a wave of similar legislation in other states, from Virginia and Colorado to Utah and Connecticut, each state tailoring its laws to reflect its unique priorities and concerns.
This decentralized approach has posed significant challenges for businesses, particularly those operating in multiple states, as they must comply with varying regulations. States differ on key issues such as applicability thresholds, exemptions for nonprofits, and the regulation of sensitive data.
Among the most recent additions to this expanding web of privacy laws is Minnesota, which became the 19th state to enact a comprehensive data privacy statute.
Minnesota’s Consumer Data Privacy Act
Minnesota’s Consumer Data Privacy Act is a significant step forward in the state’s effort to protect personal data. Like other state laws, Minnesota’s statute is influenced by California’s CCPA and the GDPR but includes its own unique provisions, especially in relation to automated profiling and sensitive data. For most businesses, compliance will be required by July 31, 2025, while postsecondary institutions have until 2029 to meet the requirements.
The Minnesota law grants consumers extensive rights over their personal data, placing new obligations on businesses that collect, process, or sell that data. It applies to entities that conduct business in Minnesota or offer services to its residents, provided they meet specific thresholds. Companies that control or process the personal data of 100,000 or more Minnesota residents or derive more than 25% of their revenue from selling the data of at least 25,000 residents fall under the law’s purview.
Minnesota’s law stands out for its focus on public education. Technology providers that contract with public schools and higher education institutions must comply with the law’s requirements, making it one of the few state laws that explicitly extends data privacy protections to educational data.
Key Features and Exemptions
The Minnesota Consumer Data Privacy Act includes several exemptions. Like California’s law, Minnesota exempts government entities, tribal organizations, and certain types of regulated data, such as information covered by HIPAA and the Gramm-Leach-Bliley Act. However, Minnesota does not provide a broad exemption for nonprofit organizations, as many other states do. Nonprofits involved in detecting and preventing insurance fraud are the only exception, while most other nonprofits are subject to the law. Additionally, small businesses defined by the U.S. Small Business Administration are exempt, but they still must obtain consent before selling any sensitive data.
Learn more about Future Jobs & Manager Programs: DELTA Data Protection & Compliance Academy
Consumer Rights Under Minnesota’s Law
Minnesota’s law grants consumers a wide range of privacy rights that echo those seen in the CCPA and other state statutes. These rights include:
- Access to personal data: Consumers can request information on whether a business is processing their personal data and can gain access to that data.
- Correction of inaccuracies: Consumers have the right to correct any inaccuracies in their personal data.
- Deletion of data: Consumers can request the deletion of their personal data, subject to some exceptions.
- Data portability: Consumers can obtain their personal data in a portable format, allowing them to transfer it from one business to another.
- Transparency in data sharing: Consumers have the right to know which third parties have received their data.
- Opt-out rights: Consumers can opt out of targeted advertising, the sale of personal data, and automated profiling that results in legal or significant consequences.
What sets Minnesota’s law apart is its rigorous focus on automated profiling and artificial intelligence. Minnesota grants consumers the right to challenge profiling results, request an explanation of how decisions were made, and receive information on actions they could take to alter future profiling outcomes. Additionally, businesses must allow consumers to request a reevaluation of automated decisions and correct any inaccurate data that may have influenced those outcomes.
Obligations for Businesses
Under Minnesota’s law, businesses have significant responsibilities regarding how they handle and protect personal data. These obligations include:
- Data minimization: Businesses must only collect data that is necessary and relevant for the purpose it was collected for.
- Sensitive data protection: The processing of sensitive data, such as information about race, health, or biometrics, requires explicit consumer consent.
- Transparency: Businesses must provide clear and accessible privacy notices, notify consumers of any material changes to their data practices, and allow consumers to withdraw consent if they disagree with the changes.
- Data security: Companies must implement administrative, technical, and physical safeguards to protect the confidentiality, integrity, and accessibility of personal data. They must also conduct data protection impact assessments for high-risk data processing activities, such as targeted advertising or automated profiling.
- Contractual safeguards: Businesses must ensure that their contracts with data processors contain provisions to protect personal data, including confidentiality requirements and data retention policies.
Minnesota’s Consumer Data Privacy Act will be enforced by the state’s attorney general, with fines of up to $7,500 per violation. There is no private right of action, meaning individuals cannot sue businesses directly under this law. However, Minnesota has introduced a temporary cure period, lasting until January 31, 2026, allowing businesses to remedy violations before penalties are imposed.
Enforcement and Future Outlook
As states like Minnesota continue to pass their own privacy laws, businesses are increasingly faced with a mosaic of compliance requirements. While common principles such as transparency, consumer control, and data security are evident across the various laws, the nuances differ from state to state. The lack of a unified federal standard means that organizations operating nationwide must continuously monitor and adjust their practices to comply with the ever-changing privacy landscape.
Author: Shernaz Jaehnel, Attorney at Law, CDPO/CIPP/CIPM, Compliance, ESG & Risk Manager
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com