United States of America: Signed Consumer Data Privacy Act (HF 4757) including cybersecurity measures

On 24 May 2024, the Consumer Data Privacy Act (HF 4757) was signed into law by the Minnesota Governor. The Act will be applicable to legal entities conducting business in the state or providing products or services aimed at state residents. Specifically, it will pertain to entities that, within a calendar year, either control or process the personal data of at least 100’000 consumers or derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25’000 consumers. Small businesses, as defined by the United States Small Business Administration, will be exempt from the provisions of the Act. The Act mandates that controllers establish, implement, and maintain reasonable administrative, technical, and physical data security practices to safeguard the confidentiality, integrity, and accessibility of personal data. This includes maintaining an inventory of the data necessary to fulfil these responsibilities. The data security practices will have to be appropriate to the volume and nature of the personal data involved. The Act will come into effect on 31 July 2025. However, postsecondary institutions overseen by the Office of Higher Education are exempt from compliance until 31 July 2029.