United States of America: Adopted Consumer Data Privacy Act (HF 4757) including data protection measures

On 19 May 2024, the Consumer Data Privacy Act (HF 4757) was adopted by the Minnesota Legislature. The Act will be applicable to legal entities conducting business in the state or providing products or services aimed at state residents. Specifically, it will pertain to entities that, within a calendar year, either control or process the personal data of at least 100’000 consumers or derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25’000 consumers. Small businesses, as defined by the United States Small Business Administration, will be exempt from the provisions of the act. The adopted Act aims to introduce various data protection measures. It will grant users the right to request a list of specific third parties to which the controller has disclosed their personal data. Moreover, consumers will have the right to review and correct their personal data used in profiling. Additionally, a simple opt-out mechanism from data collection will be provided to consumers. Furthermore, providers will be required not to retain personal data that is no longer relevant or reasonably necessary for the purposes for which it was collected and processed unless retention is mandated by law. Controllers will also need to document and maintain a description of the policies and procedures adopted to comply with the Act. Moreover, the Act will prohibit controllers from processing personal data based on sensitive attributes such as race, ethnicity, religion, gender, or sexual orientation in a manner that unlawfully discriminates against consumers or classes of consumers regarding housing, employment, credit, education, or access to goods, services, facilities, privileges, advantages, or accommodations in any place of public accommodation. The Act will come into effect on 31 July 2025 if signed into law. However, postsecondary institutions overseen by the Office of Higher Education are exempt from compliance until 31 July 2029.