It’s been nearly a decade since the European Union’s General Data Privacy Regulation (GDPR) came into effect. If your business interacts with EU residents, you’re likely familiar with GDPR compliance and your responsibilities in safeguarding consumer data.
However, even if GDPR isn’t on your radar, you might have noticed similar legislation gradually making its way through Congress and various state legislatures over the years.
In this blog, we’ll focus on the requirements for small- and medium-sized businesses (SMBs) under the recently passed Minnesota Consumer Data Privacy Act (MCDPA), recommendations for navigating data privacy regulations, and more.
As of this writing, 19 states have implemented similar consumer data privacy regulations, and federal legislation is actively being debated. Regardless of your business’s size or location, it’s crucial to understand how these data privacy regulations could impact the data you handle and process.
Understanding the Minnesota Consumer Data Privacy Act (MCDPA)
The MCDPA was signed into law on May 24, 2024. What does this mean for SMBs in Minnesota? Here are some key points.
Effective Dates
The general effective date for the MCDPA is July 31, 2025. However, postsecondary institutions regulated by the Office of Higher Education have until July 31, 2029, to comply.
Scope of the Law
The MCDPA primarily affects business-to-consumer (B2C) activities. However, it also applies to business-to-business (B2B) entities that process in-scope information, such as digital marketing firms.
Personal Information Coverage
- In-Scope: Personal information linked to an identified or identifiable individual
- Out-of-Scope: Properly de-identified information.
Applicability
The law applies to businesses that:
- Operate in Minnesota or target Minnesota residents.
- Control or process the personal data of at least 100,000 consumers annually.
- Derive 25% of their gross revenue from the sale of personal data and process data of at least 25,000 consumers.
Consumer Rights
Consumers have several rights under the MCDPA, including the right to access, correct, delete, and obtain a copy of their personal data. Consumers also have the right to opt out of the sale of their personal data and the processing of their data for targeted advertising and profiling.
Business Obligations
Businesses in scope of the new law must:
- Implement robust data protection measures.
- Maintain a comprehensive data inventory.
- Document data processing activities.
- Provide clear privacy notices.
- Obtain consumer consent for processing sensitive data.
- Follow established procedures and standards.
Exemptions
Certain entities are fully or partially exempt from the MCDPA, including:
- Government entities.
- Entities governed by HIPAA.
- Certain banking and insurance activities.
- Air carriers.
- Small businesses.
How Are SMBs Impacted by the MCDPA?
If you’re curious about how the Minnesota Consumer Data Privacy Act (MCDPA) affects small- and medium-sized businesses (SMBs), the answer is a bit complex. Your organization might be exempt if it meets the definition of a Small Business. However, even if you qualify, there are still crucial data privacy requirements to keep in mind.
The MCDPA specifically states:
A Small Business as defined by the United States Small Business Administration (SBA) under Code of Federal Regulations, title 13, part 121, that conducts business in Minnesota or produces products or services targeted to residents of Minnesota, must not sell a consumer’s sensitive data without the consumer’s prior consent.
The Intricacies of SBA Definitions
One challenge is that the SBA does not provide a one-size-fits-all definition of a small business. Instead, it requires a complex calculation based on revenue and employee numbers, which varies by industry. This means that determining whether your business qualifies can be intricate and time-consuming.
Beyond Minnesota: Nationwide Compliance
Remember, compliance with the MCDPA is just one piece of the puzzle. You must also adhere to privacy laws in other states and countries where you operate.
Additionally, keep an eye on the pending American Privacy Rights Act. Although it has stalled in Congress at the time of this writing, it is likely to pass in some form in the future, adding another layer of compliance requirements.
Recommendations for Navigating Data Privacy Regulations
This article aims to raise awareness but is not intended as legal advice. For specific guidance, consult with an attorney knowledgeable about privacy laws in the states or countries where you conduct business.
1. Determine Your Small Business Status
First, find out if your business meets the SBA definition of a Small Business for your industry. This involves a complex calculation based on revenue and employee numbers. You can refer to the eCFR :: 13 CFR Part 121 -- Small Business Size Regulations for detailed guidance.
2. Stay Informed with Reliable Resources
The International Association of Privacy Professionals (IAPP) website is an excellent resource for up-to-date information on privacy laws. A great starting point is their US State Privacy Legislation Tracker (iapp.org), which provides comprehensive insights into privacy regulations across different states.
3. Assess Your Data Management Practices
Take a close look at your data. Where is it stored? How is it organized and categorized? Who has access to it? Determine if your data falls under the scope of the MCDPA or any other regulation. Consider the potential impact if this data were to be leaked—whether it would be harmful or just embarrassing. Your business’s data is likely one of your most valuable assets, and how you manage, control, and protect it has significant implications.
4. Establish an Information Security Governance Program
Implement a formal Information Security Governance program within your organization. This will help you systematically evaluate and comply with data privacy and other regulations, ensuring that your business remains compliant and your data is secure.
How Loffler Services Can Support Your Data Privacy Needs
Loffler vCISO Program
Our virtual Chief Information Security Officer (vCISO) program helps assess the maturity of your Information Security and Cybersecurity programs. It identifies gaps, including data privacy concerns, ensuring your business stays compliant and secure.
Loffler Secure Print Services
Our secure print services manage and control access to printed information, helping you comply with privacy regulations and protect sensitive data.
Loffler Secure Scanning and Process Automation Solutions
Our secure scanning and process automation solutions provide robust control over your information and access, streamlining data management and enhancing security.
By leveraging these Loffler services, you can strengthen your data privacy measures and ensure your business is well-equipped to handle modern data privacy regulations.
Strengthen Your Data Privacy Measures. Contact us to learn how our comprehensive solutions can help you stay compliant with evolving data privacy regulations.
Read Next: Managed IT Services Pricing (Cost Guide + Examples)
Randy is a CISSP who leads the Cybersecurity and IT Consulting team at Loffler Companies. He is focused on applying his 25+ years of IT experience to help his clients measure, understand and manage information security risk through the vCISO managed consulting program.
