Minnesota Consumer Data Privacy Act (“MCDPA”)
Information for Consumers •
Information for Businesses •
Frequently Asked Questions •
File a Complaint
Exemptions
The Act specifically exempts certain entities and certain data from provisions in the Act.
The Act does not apply to the following entities:
- Governmental entities
- Federally-recognized Indian tribes
- Certain self-regulatory organizations as defined by 15 USC 78c(a)(26), including, for example, a national securities exchange
- State- or federally-chartered banks, credit unions, and certain affiliates or subsidiaries
- Certain insurance producers, administrators, and related entities
- Small businesses, except that sale of consumer data without prior consent is still prohibited
- Non-profit entities established to detect and prevent fraudulent acts in connection with insurance
The Act also provides exemptions for requirements in the Act for certain data, as described below.
- CERTAIN DEIDENTIFIED OR PSEUDONYMOUS DATA:
The Act does not require a controller or processor reidentify data that has been deidentified solely for the purposes of complying with the Act, nor does the Act require a controller or processor maintain data in identifiable form in order to be capable of associating an authenticated consumer request with personal data. The Act exempts a number of its provisions from certain deidentified and pseudonymous data. A description of these exemptions, and the requirements for data to be considered deidentified and/or pseudonymous, can be found here. - FINANCIAL DATA:
Certain financial data subject to federal data protection by the Gramm-Leach-Bliley Act - HEALTH DATA:
Certain health- or public health-related data - HIPAA-LEVEL PROTECTED DATA:
Information maintained by health care providers to the extent that the data is protected in the same manner as HIPAA - CREDIT DATA:
Certain credit data, so long as that data is collected, maintained, used, communicated, disclosed, or sold only as authorized by the federal Fair Credit Reporting Act, 15 USC §§ 1681 – 1681x, including data so intermingled with that credit data so as to be indistinguishable from the credit data, so long as it is similarly collected, processed, used, or maintained - DRIVER RECORD DATA:
Certain personal data collected, processed, sold, or disclosed pursuant to and in compliance with the federal Driver’s Privacy Protection Act of 1994, 18 USC §§ 2721 – 2725, which governs release of data from state motor vehicle records - EDUCATION DATA:
Certain personal data regulated by the federal Family Educational Rights and Privacy Act, 20 USC § 1232g, which governs access to education records - FARM CREDIT DATA:
Certain personal data collected, processed, sold, or disclosed pursuant to and in compliance with the federal Farm Credit Act of 1971, 12 USC §§ 2001 – 2279cc and implementing regulations found in 12 CFR 600, which, broadly speaking, regulates credit-related data for farmers and ranchers - EMPLOYER DATA:
Certain data collected by employers in the contexts of accepting job applications, maintaining emergency contact information, and administering benefits, so long as the data is used only in those contexts - INSURANCE DATA:
Certain data collected, processed, or sold pursuant to and in compliance with the Minnesota Insurance Fair Reporting Act, Minn. Stat. §§ 72A.49 – 72A.505 - PAYMENT DATA:
Certain payment data collected, processed, sold, or disclosed as part of a payment-only credit, check, or cash transaction so long as no data on consumers is actually retained - AIRLINE DATA:
Certain data collected relating to the prices, routes, or services and only to the extent that the provisions of the Airline Deregulation Act, Public Law 95-104 would preempt the Minnesota Consumer Data Privacy Act
Disclaimer: The Attorney General’s Office (“AGO”) is providing this page as a rough guide to explore rights and obligations pursuant to the Act. In many instances, this website simplifies or rewords the provisions of the Act for comprehension and readability. The website is not intended to provide guidance as to how the AGO would enforce the Act. It is not the AGO’s intention to provide any information on this website that would conflict with the Act. The AGO offers this website as a tool for exploring the Act, but nothing on this site should be construed as legal advice for interpreting the Act or how the Act might be enforced.
