Minnesota Sends Comprehensive Privacy Law to Governor

Julie Rubash, General Counsel and Chief Privacy Officer
May 20, 2024
MIinnesota Sends Comprehensive Privacy Law to Governor

Want to receive these weekly privacy recaps in your inbox? Sign up for our privacy newsletter, A Little Privacy, Please.


Minnesota Sends Comprehensive Privacy Law to Governor

One day before the end of the 2024 legislative session, the Minnesota legislature passed an omnibus bill, HF 4757, containing the Consumer Data Privacy Act. If signed by the Governor, the comprehensive privacy law will become effective July 31, 2025.


The law most closely resembles Connecticut’s privacy law, but it has borrowed certain aspects from other states as well. For example, Minnesota, like Oregon, will give consumers the right to request from controllers a list of specific third parties (as opposed to categories of third parties) to which personal data has been disclosed. The law also adopts several requirements from California and Colorado rules regarding the extension of opt-out rights and privacy notices. In addition to provisions adopted from other states, the Minnesota law also creates some brand new requirements, including, most notably, requirements to maintain “an inventory of the data” that is processed and a “description of the policies and procedures” that the controller has adopted to comply with the law.  

New Wave of California Tracking Technology Lawsuits Filed

As reported by Baker Hostetler, at least five complaints were filed against large retailers based on the use of web-tracking technologies during online credit card transactions, in each case alleging violations of the California Song Beverly Credit Card Act (“Song Beverly”), a law enacted in 1971. Song Beverly prohibits businesses from requesting or requiring personal identification information (PII) from cardholders as a condition to accepting the credit card as payment, except for specific purposes listed in the law (e.g., as obligated by law or by contract to complete the credit card transaction). The recent complaints allege that the defendants collected “first and last name, home address, email address, zip code, and IP address” as part of every credit card transaction, including through the use of tracking technologies, and used such data for undisclosed targeted marketing efforts in violation of Song Beverly. 


Song Beverly is a law that is likely very well known to brick-and-mortar retail companies, who are accustomed to ensuring their checkout policies and procedures at the point of sale don’t involve requests for telephone numbers, email addresses, etc., at least in a manner that could be perceived by the consumer as a condition of the credit card transaction. In the brick-and-mortar context, courts have historically denied claims based on requests for additional PII where it is made very clear to the consumer that the provision of PII is entirely voluntary and not a condition of use of a credit card (e.g., if it is made clear that the data can be provided if the consumer wants to join a rewards program or be added to a mailing list). In the online context, the California Supreme Court has held that Song Beverly does not apply to online purchases in certain contexts (e.g., the purchase of digital goods), but the breadth of the application of this ruling remains unclear and does not seem to deter the plaintiff’s bar from filing lawsuits regarding online transactions. 

Want more of the privacy highlights that matter to adtech and martech? Sign up for our privacy newsletter, A Little Privacy, Please.

A Little Privacy, Please weekly recaps are provided for general, informational purposes only, do not constitute legal advice, and should not be relied upon for legal decision-making. Please consult an attorney to determine how legal updates may impact you or your business.

Latest Blog Posts

Vermont Data Privacy Bill Is Vetoed

June 17, 2024

Vermont Governor announced his veto of a bill that...

You Are Who You Work With: Cookie Consent and Data Privacy

June 11, 2024

Who you work with for consent management and data...

Texas AG Prepares for “Aggressive Enforcement” of Privacy Laws

June 10, 2024

Texas Attorney General announced a data privacy and security...

Latest White Papers

Benchmark Report: US Privacy Compliance

August 19, 2022

The current state of publisher compliance with CCPA, and...

Ebook: A Publisher’s Guide to Vendor List Curation

December 16, 2021

How to review your vendor list to mitigate compliance...

Keep in touch

Sign up for our newsletter to keep up with privacy news for adtech and martech,
plus occasional company news.

Let's explore what we can do together.

We'll be in touch within 48 hours

[contact-form-7 id="593" title="Schedule a Demo"]