Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Businesses   •   Controller Responsibilities   •   Processor Responsibilities   •   Exemptions   •   Criteria

Steps You Must Take to Honor Consumer Privacy Rights

The Act imposes structural obligations both intended to effectuate consumers’ access to their own data held by controllers and to protect consumers’ data held by the controller from unauthorized access.

  • Controllers must comply with valid requests seeking to exercise consumer rights. To process these requests, controllers must provide a means for consumers to submit such requests. The means for submission can be a portal, email address, or may appear in some other form, but it must meet the following criteria:

    • It must be secure and reliable, taking into account the way consumers interact with the controller and the need for secure and reliable communication of requests; and
    • It must not require the creation of a new account.

  • Generally, controllers have 45 days to comply with a consumer’s request and inform the consumer of the action taken. In some cases, a controller may extend this deadline by an additional 45 days when reasonably necessary but must inform the consumer of the delay and the reason for the delay.

    If the controller refuses to take the action requested by the consumer, the controller must, within 45 days of the request, tell the consumer why the controller is failing to take action, and must inform the consumer how to appeal the controller’s decision.

    Generally, controllers must provide responses to consumers exercising their rights under the Act free of charge. Controllers may, in some limited circumstances, charge a reasonable administrative fee or refuse to act on the request. You can read more about this provision here.

  • Consumers have the right to opt out of any processing of their personal data for the purposes of targeted advertising, or any sale of their personal data. With few exceptions, controllers must honor opt-out requests from consumers, including those used by way of a Universal Opt-Out Mechanism. You can read more about Universal Opt-Out Mechanisms here.

  • A controller must have or establish an internal process by which a consumer may appeal a controller’s refusal to take action on a request to exercise a right provided by the Act, within a reasonable time after receipt of the notice of refusal. The appeal process must:

    • Be conspicuously available and must be consumer-friendly and easy to use by the average consumer;
    • Provide a decision, along with a written explanation of the reasons for the decision, within 45 days of the appeal request (this timeline can be extended to 105 days where reasonably necessary); and
    • In providing a decision, also provide information about how to file a complaint with the Office of the Minnesota Attorney General. Consumers may file a privacy-related complaint with the Office of the Minnesota Attorney General by phone at (651) 296-3353 or by completing a form on the Attorney General’s privacy website.

    Controllers must retain and maintain records of appeals and their responses for 24 months. Controllers must also compile and provide copies of these records to the Attorney General upon receiving a written request from the Attorney General pursuant to an investigation.

  • Accessibility

    A controller must provide consumers with a reasonably accessible, clear, and meaningful privacy notice. You can read more about the required contents of that privacy notice here.

    The privacy notice must be made available in each language in which the controller provides a product or service that is subject to the privacy notice or carries out activities related to the product or service.

    The privacy notice must be provided in a manner that is reasonable accessible to and usable by individuals with disabilities.

    The privacy notice must be posted online via a conspicuous hyperlink using the word “privacy” on the controller’s home page or app store or download page. Any controller that maintains a mobile app must also include a hyperlink to the privacy notice in the app’s settings menu or another similarly conspicuous and accessible location. If a controller does not operate a website, a privacy notice must be made conspicuously available to consumers through a medium regularly used by the controller to interact with consumers (e.g., mail).

    Notice of Change

    If a controller makes a material change to the privacy notice or practices, the controller must notify consumers affected by the change and provide a reasonable opportunity for consumers to withdraw consent to the changed collection, processing, or transfer policy. The controller shall take all reasonable electronic measures to provide this notification.

  • As discussed elsewhere, controllers must obtain permission from controllers or known children’s guardians/parents to process such data. Controllers must also provide an effective mechanism for those consumers and guardians/parents to revoke that consent. The mechanism provided must be at least as easy as the mechanism by which the consent was previously given.

    Upon receipt of a revocation, a controller has 15 days, at most, to cease processing.

  • A controller must establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities. The data security practices must be appropriate to the volume and nature of the personal data at issue.

  • Controllers must document and maintain a description of the policies and procedures the controller has adopted to comply with the Act. That description must include, where applicable:

    • The name and contact information for the controller’s chief privacy officer or other individual with primary responsibility for directing the policies and procedures implemented to comply with the Act;
    • A description of the controller’s data privacy policies and procedures which reflect the requirements imposed on controllers by the Act;
    • Limitations of collection of certain data;
    • Prevention of the retention of certain unreasonable or irrelevant data; and
    • A description of any of the controller’s policies and procedures designed to identify and remediate the controller’s violations of the Act.

  • With limited exceptions, a controller may not retain personal data that is no longer relevant and reasonably necessary in relation to the purposes for which the data were collected and processed.

Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.