Minnesota Consumer Data Privacy Act

1. Does your organization conduct business in Minnesota or target products/services to Minnesota residents and meet either: Process personal data of 100,000+ consumers/year, OR Derive >25% revenue from sale of personal data and process ≥25,000 consumers' data?

2. Is your organization or the data you process covered/exempt under other laws or categories such as: Government entities, tribes, small businesses, banks/credit unions, insurers, or air carriers; Health/medical data; Credit/financial/education data; Employment/HR data; Public health, deidentified, or self-regulatory organization–regulated data?

1. Do you have processes in place that allow consumers, or their guardians or authorized agents, to exercise their rights to confirm and access their personal data, correct inaccuracies, delete data, obtain portable copies, opt out of targeted advertising, sale, or profiling, and review or contest profiling decisions that rely on inaccurate information?

2. Do you provide consumers with transparency regarding disclosures of their data to third parties, either by identifying the specific parties to whom their data has been disclosed or, if individual-level tracking is not maintained, by maintaining and publishing a general list of third parties?

3. Do you honor consumer opt-out requests submitted through universal mechanisms, such as browser signals, in a manner that is user-friendly, not pre-set by default, consistent with state and federal law, and capable of resolving conflicts with loyalty or reward programs by informing the consumer of the consequences of their opt-out choice?

4. Do you have a consumer request handling process that provides secure and accessible submission channels, avoids requiring consumers to create new accounts, responds within 45 days (with a single possible extension and notice), explains any denial or delay, provides responses free of charge up to twice annually, rejects unfounded or excessive requests only with justification, and uses commercially reasonable methods to authenticate requests, while not imposing authentication burdens on opt-out requests?

5. Do you maintain an appeal process that is easy to use, clearly communicated to consumers, provides a written explanation of the outcome within 45 days (extendable by 60 days with notice), includes information about the right to contact the Attorney General in case of dissatisfaction, and preserves all records of appeals for at least 24 months?

1. Do you have policies that prevent reidentification of deidentified or pseudonymous data, while ensuring that neither controllers, processors, nor third parties attempt to identify data subjects unless expressly authorized, and that pseudonymous identifiers are not used to trace individuals?

2. Where consumer requests involve deidentified or pseudonymous data, do you confirm whether responding would be reasonably possible, whether the data is kept separate and protected with organizational controls, and whether the data is ever sold or disclosed to third parties beyond processors?

3. Do you exercise reasonable oversight to monitor compliance with contractual commitments regarding deidentified or pseudonymous data, and do you have clear procedures to address breaches of those commitments?

1. Does your privacy notice clearly cover all required elements (categories of data, purposes, consumer rights, third-party sharing/selling, retention, contact info, update date), disclose targeted advertising/sale/profiling with an opt-out mechanism, and is it accessible (languages, disabilities, conspicuous posting, notice of changes)?

2. Do you collect only necessary data for disclosed purposes, avoid incompatible processing without consent, maintain strong data security practices, obtain verifiable consent for sensitive/child data, provide easy revocation of consent within 15 days, avoid unauthorized targeted ads/sales to minors, and delete data when no longer needed?

3. Do you ensure data is not processed in ways that unlawfully discriminate (housing, jobs, credit, education, services), avoid penalizing consumers for exercising rights, and apply loyalty/reward programs transparently without unfair sale of data?

4. Do you avoid contract terms that waive or limit consumer rights under this law?

1. If you qualify as a small business under federal definitions and operate in or target Minnesota residents, do you obtain prior consent before selling any consumer's sensitive data?

2. Are you aware that violations of this requirement are subject to penalties and enforcement by the Minnesota Attorney General?

1. Do you maintain documented data privacy policies and procedures, including a responsible privacy officer, data handling policies, security practices, inventory of data, collection limits, retention rules, and violation remediation?

2. Do you conduct and document data privacy and protection assessments for processing involving targeted advertising, sale of personal data, sensitive data, high-risk processing, or profiling with foreseeable consumer harm, taking into account benefits, risks, context, sensitivity, and use of deidentified data?

3. Are assessments made available to the attorney general upon request, classified as nonpublic data, and aligned with assessments conducted for other laws if scope and effect are similar?

1. Do you ensure that your processing activities comply with applicable laws, regulatory inquiries, contracts, law enforcement requests, public health or research purposes, or other exemptions?

2. When disclosing personal data to third parties, do you confirm that your disclosure complies with the chapter and that you have no actual knowledge of any intended violations by the recipient?

3. Are your processing activities under these exemptions necessary, reasonable, proportionate, limited to the purpose, and protected by administrative, technical, and physical measures to mitigate consumer risk?