The Weekly Breach Breakdown: The Star of the North – An Update on Data Privacy Laws by State

• Minnesota was the 19^th state to pass a consumer privacy law. It will take effect on July 31, 2025, except for institutions regulated by the Minnesota Office of Higher Education. They have until July 31, 2029 to comply.
• The Minnesota data privacy law will cover entities that control or process data on 100,000 consumers or derive 25 percent of revenue from selling the data of more than 25,000 customers.
• The law contains consumer rights and business obligations around profiling practices. Consumers can request information regarding a profiling decision. Small businesses as defined by the U.S. Small Business Administration are exempt from the Minnesota data privacy law.
• There is a lot of action regarding proposed data privacy laws by state. Rhode Island lawmakers passed a data privacy law. The bill has been transmitted by the Governor and will become law without a signature.
• However, Vermont Governor Phil Scott vetoed a data privacy bill, saying it had “competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.”
• For an update on all of the data privacy laws by state, read Squire, Patton, Boggs, the global law firm, blog here. To learn about the latest data compromises, consumers and businesses should visit the Identity Theft Resource Center’s data breach tracking tool, notified. 
• If you believe you are the victim of an identity crime, call or text toll-free at 888.400.5530 or live chat on our website, idtheftcenter.org.

The Star of the North

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for July 3, 2024. Thanks to Sentilink for their support of the podcast and the ITRC. Each week, we look at the most recent events and trends related to data security and privacy. This week, we provide an update on data privacy laws by state as legislators make their final push before adjourning for the summer.

Minnesota Data Privacy Law Passed & Signed

Minnesota, whose state motto is the Latin translation of “The Star of the North”, which is also the title of this podcast, is the 19^th state to pass a consumer privacy law. It was signed by the Governor on May 24. The law will take effect on July 31, 2025, except for institutions regulated by the Minnesota Office of Higher Education. They have until July 31, 2029 to comply.

The Minnesota Consumer Data Privacy Act, or MN-CDPA, will cover entities that control or process data on 100,000 consumers or derive 25 percent of revenue from selling the data of more than 25,000 customers. Unlike most other state privacy laws, Minnesota requires organizations to provide the names and contact information of the Chief Privacy Officer or other individuals responsible for data privacy notices.

The MN-CDPA also contains consumer rights and business obligations around profiling practices – the use of automated tools to make decisions using personal information about individuals. Consumers can request information regarding a profiling decision, including the reasoning behind a particular profiling decision and access to the data used to reach the decision.

There are some exemptions to the Minnesota data privacy law. Small businesses as defined by the U.S. Small Business Administration are exempt. Also, there are targeted exemptions for health and financial data processing, but no blanket exemptions from federal laws.

Rhode Island Data Privacy Law Passed & Transmitted by Governor

Minnesota is the seventh state in 2024 to pass data privacy legislation through the legislature. Rhode Island followed behind to become the eighth state. The Rhode Island Data Transparency and Privacy Protection Act – RI-DTPA – was passed by the state legislature on June 13. The RI-DTPA was transmitted by the Governor without signature, allowing it to become law. RI-DTPA will go into effect on January 1, 2026, along with the Indiana Consumer Privacy Act and Kentucky Consumer Data Privacy.

Vermont Data Privacy Law Vetoed by Governor

One Governor who vetoed a data privacy bill was Vermont Governor Phil Scott. In his letter to Vermont’s General Assembly, Governor Scott noted that the Vermont Data Privacy Act created “big and expensive new burdens and competitive disadvantages for the small and mid-sized businesses Vermont communities rely on.” He also noted that the private right of action is “a national outlier, and more hostile” than any other state privacy law.

An Update on Data Privacy Laws by State

For an update on all of the data privacy laws by state, read Squire, Patton, Boggs, the global law firm, blog here in Privacy World. It has the latest on all of these privacy laws, including a full in-depth breakdown of MN-CDPA. We will keep you updated on the data privacy laws by state as state legislators wrap up their sessions.

Contact the ITRC

If you want to know more about how to protect your business or personal information or think you have been the victim of an identity crime, you can speak with an expert ITRC advisor on the phone, via text message, chat live on the web, or exchange emails during our normal business hours (Monday-Friday, 6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.

Thanks again to Sentilink for their support of the ITRC and this podcast. Be sure to check out our sister podcast, the Fraudian Slip. Last week we had our own Chief Victims Officer, Mona Terry, on the podcast to discuss the findings in our recently released 2023 Trends in Identity Report. To download a copy of the report, visit www.idtheftcenter.org/publications. We will return next week with another episode of the Weekly Breach Breakdown.