In a final push before adjourning for the summer, state legislators across the country contemplated consumer privacy laws. Three legislatures made it to the finish line. One – Minnesota’s state legislature passed the Minnesota Consumer Data Privacy Act on May 19^th as part of an appropriations bill, which was signed by Minnesota’s governor on May 24^th. Of the other two, one is pending gubernatorial action, and the other was vetoed.

The Rhode Island Data Transparency and Privacy Protection Act (RI-DTPA) was passed by the state legislature on June 13^th. Before RI-DTPA becomes law, Governor McKee must either sign, take no action or veto it. If signed, RI-DTPA is in force on January 1, 2026, like the Indiana Consumer Data Protection Act and Kentucky Consumer Data Privacy.

We are not, however, making assumptions about RI-DTPA’s passage. This post was originally planned to cover the Minnesota Consumer Data Privacy Act and the Vermont Data Privacy Act, not the RI-DTPA. On June 13^th (the same day that RI-DTPA was passed), Vermont’s Governor Phil Scott vetoed the Vermont Data Privacy Act. In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law, notwithstanding its limited scope and sunset. He raised the possibility of a First Amendment challenge to the Age-Appropriate Design Code (Section 6), noting that “similar legislation in California has already been [preliminarily enjoined] for likely First Amendment violations.” (See here.) A veto override was not successful.

The RI-DTPA already faces opposition from privacy advocacy organizations claiming that RI-DTPA is too weak (see, e.g., here). Advertising associations also reportedly oppose RI-DTPA. Nonetheless, we have highlighted some key elements of RI-DTPA in this post so you can decide for yourself, together with answers to FAQs about the Minnesota Consumer Data Privacy Act (MN-CDPA) and how it is similar to and different from the other state consumer privacy laws.

WHEN IS MN-CDPA IN FORCE?

The MN-CDPA – the 19^th state consumer privacy law – is in force on July 31, 2025, except those postsecondary institutions regulated by the Minnesota Office of Higher Education have until July 31, 2029, to comply. 

For reference, the 18 state consumer privacy laws preceding MN-CDPA (State Consumer Privacy Laws) are in force as follows.

• Five in 2023
• Four in 2024
• Seven in 2025
• Two in 2026

WHAT DATA IS PROTECTED?

Like the preceding State Consumer Privacy Laws, the MN-CDPA protects “personal data,” which “means information that is linked or reasonably linkable to an identified or identifiable natural person.”

The term “pseudonymous data” means “personal data that cannot be attributed to a specific natural person without the use of additional information, provided that the additional information is kept separately and is subject to appropriate technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.” (§ 325O.02(t)) 

The RI-DTPA has similar definitions.

A “consumer” is a resident of the state acting in an “individual or household context” and not a commercial or employment context. (§ 325O.02(g)) (The RI-DTPA uses the term “customer,” unlike the 19 preceding State Consumer Privacy Laws.) Thus, the California Consumer Privacy Act (CCPA) remains the only State Consumer Privacy Law that applies to personal data collected in a commercial or employment context.

Personal data is not:

• de-identified data, which is data that cannot reasonably be used to infer information about or be linked to a consumer or device. Both laws require that a controller take reasonable measures to protect against the reidentification of de-identified data (including by contractual obligations on recipients of the de-identified data) and that the controller itself commits to not re-identify.
• publicly available information, which is personal data lawfully made available from government records or that a controller reasonably believes was lawfully made available to the public. 

WHAT ORGANIZATIONS ARE IN SCOPE?

MN-CDPA applies to a legal entity that conducts business in Minnesota or produces products or services that are targeted to residents of Minnesota and:

“… (1) during a calendar year, controls or processes personal data of 100,000 consumers or more …; or (2) derives more than 25% of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 consumers or more.” (§ 325O.03(a)(1))

The thresholds in the MN-CDPA are arguably broader than other State Consumer Privacy Laws because the calendar year qualifier appears to apply only to the first threshold. For example, Oregon’s consumer privacy law applies as follows: “ORS 646A.570 to 646A.589 apply to any person that conducts business in this state, or that provides products or services to residents of this state, and that during a calendar year, controls or processes: (a) … (b) …” (ORS § 646A.572) Similarly, the RI-DTPA, would, if enacted, apply its calendar year qualifier to both thresholds, i.e., controlled or processed the personal data of thirty-five thousand (35,000) or more customers, or derived more than twenty percent (20%) of gross revenue from the sale of personal data and controlled or processed the personal data of not less than ten thousand (10,000) customers.

The MN-CDPA excludes from the first processing threshold personal data controlled or processed solely for the purpose of completing a payment transaction. The RI-DPTA has a similar exclusion.

Only the State Consumer Privacy Laws of Nebraska and Texas do not have processing thresholds.

WHAT DATA AND ORGANIZATIONS ARE NOT SUBJECT TO MN-CDPA?

MN-CDPA provides for various data-level exemptions, including:

• protected health information (PHI) as defined in the Health Insurance Portability and Accountability Act (HIPAA) and information deidentified according to HIPAA;
• identifiable private information for purposes of the Common Rule;
• patient safety work product for purposes of the Patient Safety and Quality Improvement Act; 
• data collected, processed or disclosed pursuant to the Gramm-Leach-Bliley Act (GLBA), Fair Credit Reporting Act (FCRA), Family Educational Rights and Privacy Act (FERPA) and Driver’s Privacy Protection Act of 1994 (DPPA);
• data collected or maintained in the course of an individual applying to be employed by or acting as a contractor of a controller, processor or third party if the data is collected and used solely within the context of the role (§ 325O.03 (a)(13));
• data collected or processed as the emergency contact information of an individual for employment emergency contact purposes; and
• data that is necessary for the business to retain to administer benefits for another individual relating to the individual employed if used solely for the purposes of administering those benefits.

Nearly all of the State Consumer Privacy Laws (and, if enacted, the RI-DTPA) include similar exemptions. As noted, above, the CCPA applies to personal data collected in a commercial or employment context.

Notes: 
The MN-CDPA (§ 3250.03) does not have entity-level exemptions for financial institutions under the GLBA and for covered entities and business associates under HIPAA. Like the majority of the State Consumer Privacy Laws, the RI-DTPA (§ 6-48.1-3(d)) would have these entity level exemptions.

The MN-CDPA only excludes non-profit organizations established to detect and prevent fraudulent acts in connection with insurance. (§ 325O.03 (a)(20).) The State Consumer Privacy Laws in Colorado, Delaware, Iowa, Maryland, Nebraska, New Jersey and Oregon also do not have exemptions for all or most non-profit organizations.

The MN-DCPA (§ 325O.075) exempts small businesses (as defined by the Small Business Administration ) but, like (§ 541.107) of the Texas consumer privacy law,  a small business may not sell a consumer’s sensitive data without the consumer’s prior consent.

WHAT IS AND IS NOT A “SALE” OF PERSONAL DATA?

The MN-CDPA defines “sale” as an exchange of personal data for monetary or other valuable consideration to a “third party.”

The MN-CDPA defines:

• “third party” as a legal or natural person other than the consumer (or “customer” under RI-DTPA), controller, processor or the controller’s or processor’s affiliate; and
• “affiliate” as a legal entity that controls, is controlled by or is under common control with the controller or processor. (The RI-DTPA’s definition of an affiliate also would include an entity that “shares common branding” (§ 6-48.1-2(1)).)

Notes: Two-thirds of the State Consumer Privacy Laws have materially the same definition, as would the RI-DTPA if enacted. To date, only 6 of 19 State Consumer Privacy Laws define a “sale” as an exchange for monetary consideration: Indiana, Iowa, Kentucky, Tennessee, Utah, and Virginia.

The MN-CDPA (§ 325O.02(u)) excludes from the definition of sale:

• The disclosure of personal data to a processor that (or who) processes the personal data on behalf of the controller.
• The disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer (Some States Consumer Privacy Laws require that the consumer request is made “affirmatively”).
• The disclosure or transfer of personal data to an affiliate of the controller.
• The disclosure of information that the consumer: (i) intentionally made available to the public via a channel of mass media; and (ii) did not restrict to a specific audience.
• The disclosure or transfer of personal data to a third party as an asset that is part of a completed or proposed merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets.
• The exchange of personal data between “the producer of a good or service and authorized agents of the producer who sell and service the goods and services, to enable the cooperative provisioning of goods and services by both the producer and the producer’s agents.”

Most of these exclusions are typical of the State Consumer Privacy Laws.

WHAT RIGHTS ARE AVAILABLE FOR CONSUMERS IN MN-CDPA?

The MN-CDPA offers a consumer these privacy rights:

• Right to confirm what personal data concerning the consumer that the controller is processing and to access that personal data.
• Right to correct inaccuracies in the consumer’s personal data.
• Right to delete personal data concerning the consumer.
• Right to obtain personal data concerning the consumer that the consumer previously provided to the controller, in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
• Right to obtain a list of the specific third parties to which the controller has disclosed the consumer’s personal data. If the controller does not maintain the information in a format specific to the consumer, a list of specific third parties to whom the controller has disclosed any consumers’ personal data may be provided instead.
• Right to opt out of processing personal data for:
  • targeted advertising, which is, generally, online advertising based on personal data obtained or inferred from a consumer’s online activity over time and across nonaffiliated online services.
  • sale (defined above).
  • profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. (In MD-CDPA, profiling is automated personal data processing to evaluate, analyze, or predict personal aspects related to a consumer’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. (§ 325O.02(s))). 

In addition to the rights above, the MN-CDPA also offers the distinct right to question the result of profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer, to be informed of the reason that the profiling resulted in the decision, and “if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.” The consumer also has the right to review the personal data used in the profiling and to correct inaccurate personal data and have the profiling decision re-evaluated (§ 325O.05(1)(g)). This is a unique right in the MN-CDPA.

Notes:
Deletion Rights: Like the MN-CDPA, other State Consumer Privacy Laws provide broad deletion rights for personal data “concerning” the consumer (e.g., N.J.S. C.56:8-166.10(a)(3)) or “about” the consumer (e.g., ORS § 646A.574, which is in force on July 1, 2024). Most of the State Consumer Privacy Laws provide deletion rights for personal data “provided by or obtained about” the consumer (e.g., Texas), which is arguably narrower than the MN-CDPA’s “concerning” standard. The Iowa consumer privacy law provides deletion rights only to personal data “provided by” the consumer, which is even narrower. 

Profiling Opt-Out: Like MN-CDPA, the Oregon law (§ 646A.574(1)(d)(C)), which is in force on July 1, 2024) allows an opt-out right for profiling which is automated processing, in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (as do the consumer privacy laws of Kentucky and New Jersey, among others). Other varieties of the profiling opt-out right apply to profiling that is solely automated processing (e.g., the Texas law (which also is in force on July 1, 2024) and to profiling (which is any form of automated processing) in furtherance of solely automated decisions (e.g., the Montana law (§ 30-14-2808, which is in force on October 1, 2024).

WHAT ARE THE CONTROLLER’S OBLIGATIONS IN RESPONDING TO A CONSUMER PRIVACY RIGHTS REQUEST?

Timing: A controller has up to 45 days after receipt of a consumer’s privacy rights request to respond, subject to a 45-day extension when “reasonably necessary” and after informing the consumer of the delay and reason for it within 45 days after receipt of the request. (The RI-DTPA has the same timing restrictions.) In responding to a request, the controller must provide information free of charge and up to twice annually (once per 12-month period in the RI-DTPA) per consumer, although the controller may charge a reasonable fee or decline a request if a request is manifestly unfounded, excessive or repetitive. These timing requirements are similar to most of the other State Consumer Privacy Laws. (§ 325O.04(e) – (g)).

When responding to a privacy rights request, a controller subject to the MN-CDPA may not disclose certain sensitive data, i.e., social security numbers, government-issued identification numbers, financial account numbers, account passwords, health insurance account numbers, account password, security questions or answers, and biometric data. (§ 325O.05(4)(i)). The controller may only inform the consumer whether the controller has collected that particular information. 

Allowing an authorized agent to exercise a consumer’s privacy rights request: The MN-CDPA allows a consumer to designate an authorized agent to exercise the consumer’s right to opt out of the processing of the consumer’s personal data for purposes of targeted advertising and sale (but not profiling) – likemost of the other State Consumer Privacy Laws (e.g., Texas law). The consumer privacy laws of Montana and Oregon allow an authorized agent to opt out of targeted advertising, sale, and profiling on behalf of the consumer. The RI-DTPA follows Montana and Oregon. 

The MN-CDPA does not specifically require a controller to verify the identity of an agent but the controller is obligated to comply with an opt-out request only if the controller is able to authenticate the consumer’s identity and the agent’s authority using “commercially reasonable efforts.” The RI-DTPA follows a similar standard but does not require “commercially reasonable efforts.” A controller also must allow a consumer to designate an authorized agent using “a technology” such as “an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer’s intent to opt out of the processing.” (§ 325O.05(d)). The RI-DTPA does not require this opt-out mechanism.

Notes: Not all State Consumer Privacy Laws include provisions that allow an authorized agent to exercise privacy rights on behalf of a consumer.

Authenticating a consumer’s privacy right request: A controller subject to MN-DCPA must comply with an “authenticated consumer request” using “commercially reasonable efforts” and is not required to comply with a request if the controller is unable to authenticate the consumer’s identity.

If the controller is unable to authenticate the request using commercially reasonable efforts, a controller is not required to comply with a request to exercise the rights to confirm/access, correct, delete, receive a copy of the consumer’s personal data (aka portability) or to receive the list of third-party personal data recipients. The controller may request additional information reasonably necessary to authenticate the request. (Under the RI-DTPA, the controller must inform the customer that it is unable to authenticate the request until the customer provides additional information reasonably necessary to authenticate the request. (§ 6-48.1-6(b)(4)))). For an opt-out request, the controller is not required to authenticate but may deny the request if the controller has a good faith, reasonable, and documented belief that the request is fraudulent. If the controller denies the opt-out request because the controller believes a request is fraudulent, the controller must notify whoever made the request that the request was denied due to the controller’s belief that the request was fraudulent and state the controller’s basis for that belief. (§ 325O.04). The RI-DTPA has a similar standard.

Appeals: A controller must allow a consumer to appeal when the controller does not act on a consumer’s request and ensure that the appeal process is conspicuously available and available for use via “an opt-out preference signal sent, with the consumer’s consent, by a platform, technology, or mechanism to the controller indicating the consumer’s intent.” Within 45 days (subject to a 60-day extension when reasonably necessary), the controller must provide a written explanation of any action taken or not taken in response to the appeal and provide information about how to file a complaint with Minnesota’s Office of the Attorney General. (§ 325O.5(5)). The RI-DTPA has a similar standard. (Only the Utah and California state consumer privacy laws do not allow for appeals.)

WHAT OTHER OBLIGATIONS APPLY TO CONTROLLERS IN MN-CDPA?

The MN-CDPA includes many of the same controller obligations as the preceding State Consumer Privacy Laws, including:

Role based processing agreements 

A controller must enter into a binding personal data processing agreement with each of its processors that:

• sets out the nature, purpose and duration of processing, the type of personal data subject to processing, processing instructions and the rights and obligations of each party
• contractually imposes a duty of confidentiality with respect to the personal data shared with a processor
• requires the processor to return or delete (per the controller’s choice) all personal data at the end of provision of the processor’s services unless retention is required by law
• upon a reasonable request from the controller, the processor shall make available to the controller all information necessary to demonstrate compliance with MN-CDPA
• requires that the processor cooperate with the controller including by allowing an assessment of the processor’s policies and practices

A processor must ensure that all of its sub-contractors handling the controller’s personal data are bound by a processing agreement that requires the sub-contractor to meet the requirements of the processor’s agreement with the controller. The controller also must have the opportunity to object to proposed new sub-contractors. (§ 325O.04(c)-(e).)

Processing obligations related to sensitive data generally

MN-CDPA defines “sensitive data” as personal data that reveals (1) racial or ethnic origin, (2) religious beliefs, (3) mental or physical health condition or diagnosis, (4) sexual orientation, and (5) citizenship or immigration status, (6) genetic data or biometric data processed to uniquely identify a specific natural person, (7) personal data of a known child (under age 13), and (8) specific geolocation data (a MN-CDPA defined term). The RI-DTPA’s definition is similar but uses the term “precise geolocation data.”

Like the majority of the State Consumer Privacy Laws (including the RI-DTPA), a controller may not process sensitive data without obtaining the consumer’s (opt-in) consent or, for a child, in compliance with COPPA. 

Notes:
Maryland’s law approach to sensitive data is stricter: a controller (i) cannot collect, process, or share sensitive data unless the collection or processing is strictly necessary to provide or maintain a specific product or service requested by the consumer. (§ 14-607(A)). Maryland’s law also includes provisions specific to “consumer health data,” but MN-CDPA does not. The Maryland law also prohibits a controller’s sale of personal data or processing for the purposes of targeted advertising if the controller knows or should have known that the consumer is under age 18. (§ 14-607(A)(4),(5))

Policies and procedures

The MN-CDPA also includes some distinct controller obligations related to policies and procedures. A controller must document and maintain a description of the policies and procedures specific to compliance with the MN-CDPA, including:

• the name and contact information for the controller’s chief privacy officer or other individual with primary responsibility for compliance with MN-CDPA;
• the controller’s data privacy policies and procedures for processing de-identified and pseudonymous data as per § 325O.07;
• data security practices to protect the confidentiality, integrity, and accessibility of personal data, including in particular maintenance of an inventory of the personal data protected;
• data privacy and protection assessment (see below); and
• data minimization, i.e., processes for limiting personal data collection to what is “adequate, relevant, and reasonably necessary in relation to the purposes for which the data are processed” and ensure that personal data is retained no longer than necessary in relation to the purposes for which the data were collected and processed (§ 325O.08(a)(2)(iv)- (v).). 

WHAT NOTICE REQUIREMENTS APPLY?

A controller regulated by the MN-CDPA must provide consumers with a reasonably accessible and clear privacy policy that includes:

• Categories of personal data processed by the controller;
• Purposes for processing personal data;
• Explanation of privacy rights;
• How consumers may exercise their privacy rights and submit appeals;
• Categories of personal data that the controller sells to or shares with third parties;
• Categories of third parties with which the controller shares the personal data;
• Controller’s contact information including an active email or online mechanism;
• Retention policies for personal data;
• Date of last privacy policy update; and
• Profiling, sale and/or targeted advertising practices (see below).

A notice that meets the current requirements of the CCPA and the Colorado consumer privacy law generally complies with the requirements in the MN-DCPA and the RI-DTPA. The Maryland consumer privacy law also requires a controller to provide an active email address or other online mechanism by which consumers can contact the controller – similar to California’s requirement for online-only businesses but applicable to all controllers.

Notice requirements for sales, targeted advertising and profiling:

If a controller sells personal data to third parties, processes personal data for targeted advertising or engages in profiling in furtherance of decisions that produce legal or similarly significant effects, the controller shall clearly and conspicuously disclose the sale or processing in the privacy notice and provide a method outside of the privacy notice for consumers to opt-out of such sale or processing. The method may include a hyperlink labeled “Your Opt-Out Rights” or “Your Privacy Rights” that directly effectuates the opt-out request or takes consumers to a webpage where the consumer can make the request. (§ 325O.07(1).)

ARE CONTROLLERS REQUIRED TO CONDUCT DATA PROTECTION ASSESSMENTS?

Yes, a controller is required to conduct and document a data protection assessment prior to undertaking certain processing activities. Of the 19 state consumer privacy laws, only the laws of Iowa and Utah do not have some form of assessment requirement. California’s privacy law provides for regulations on the topic of data protection assessments.

The MN-CDPA requires an assessment for:

• Processing personal data for targeted advertising;
• Sale of personal data;
• Processing of sensitive data;
• Processing personal data for profiling, if the profiling presents a reasonably foreseeable risk of (i) unfair or deceptive treatment, (ii) financial, physical or reputational injury, (iii) physical or other intrusion upon solitude, seclusion, or private affairs that would be offensive to a reasonable person or (iv) other substantial injury to consumers; and
• any other processing activity that presents a heightened risk of harm to a consumer.

The RI-DTPA has similar assessment requirements (§ 6-48.1-7(e)).

As part of the assessment process, the controller must identify and weigh the benefits of the processing activity to the controller, the consumer, other stakeholders and the public against the potential risks to the rights of the consumer. As part of this risk-benefit analysis, the controller also must consider how safeguards may mitigate the identified risks and must factor in the use of de-identified data, the reasonable expectations of consumers, the context of processing and the relationship between the controller and the consumer. The assessment also must include a description of the Policies and Procedures described above.

As part of a civil investigative demand, a controller is required to make its data protection assessments available to the Attorney General upon request. Any data protection assessment provided to the state regulator remains confidential and the disclosure does not constitute a waiver of attorney-client privilege or work product protection.

WHAT ARE THE CONSEQUENCES OF NONCOMPLIANCE?

The Attorney General has exclusive enforcement power. No private right of action is available. The MN-CDPA provides for a cure period after receipt of a warning letter from the Attorney General. The cure period expires January 31, 2026. A controller or processor that does not cure a violation is subject to an injunction and a civil penalty of no more than $7,500 per violation.

The Rhode Island Attorney General has sole enforcement authority under the RI-DTPA. (§ 6-48.1-8(b)). There is no cure period and the Attorney General may seek injunctive relief and a civil penalty of no more than $10,000 per violation.

With nineteen State Consumer Privacy Laws enacted, organizations are increasingly looking to create a compliance program based on the strictest requirement in each of the State Consumer Privacy Laws, rather than adopting a state-by-state approach. Stay tuned to find out whether RI-DTPA becomes law and for tips on complying with the state privacy law puzzle.

Krista Setera and Mary Aldrich contributed to this article