Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses •
Controller Responsibilities •
Processor Responsibilities •
Exemptions •
Criteria
Data Privacy and Protection Assessment
Controllers are required to conduct and document a data privacy and protection assessment for each of the following processing activities involving personal data:
- The processing of personal data for purposes of targeted advertising;
- The sale of personal data;
- The processing of sensitive data;
- Any processing activities involving personal data that present a heightened risk of harm to consumers; and
- The processing of personal data for purposes of profiling, where the profiling presents a reasonably foreseeable risk of: (1) unfair or deceptive treatment of, or disparate impact on, consumers; (2) financial, physical, or reputational injury to consumers; (3) a physical or other intrusion upon the solitude or seclusion, or the private affairs or concerns, of consumers, where the intrusion would be offensive to a reasonable person; or (4) other substantial injury to consumers.
The assessment must engage in a balanced analysis, taking into account the type of data processed, the benefits of the processing of that data, the risks to the rights of the consumer associated with the processing, and the mitigation of those risks by safeguards that can be employed by the controller. The assessment must factor in the use of deidentified data and the reasonable expectations of consumers, as well as the context of the processing and the relationship between the controller and the consumer whose personal data will be processed. The assessment must also include the description of policies and procedures required by the Act.
The data privacy and protection assessment must be provided to the Attorney General pursuant to civil investigative demand.
Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.
