.svg "Logo White")
What are the consumer rights under the Minnesota Consumer Data Privacy Act (MCDPA)?
Consumers have the following rights under the MCDPA:
- Right to Access
- Right to Correct
- Right to Delete
- Right to Data Portability
- Right to Opt-Out
- Right to obtain a list of the specific third parties to which the controller has disclosed the consumer's personal data.
As regards the right to opt-out, Minnesota’s privacy law states that “a consumer may designate another person as the consumer's authorized agent to exercise the consumer's right to opt out of the processing of the consumer's personal data for purposes of targeted advertising and sale on the consumer's behalf by way of, among other things, a technology, including but not limited to an Internet link or a browser setting, browser extension, or global device setting, indicating the consumer's intent to opt out of the processing” and the controller will have to “comply with an opt-out request received from an authorized agent if the controller is able to verify, with commercially reasonable effort, the identity of the consumer and the authorized agent's authority to act on the consumer's behalf.”
The law specifically mentions universal opt-out mechanisms (UOOMs) and mandates that “a controller must allow a consumer to opt out of any processing of the consumer's personal data for the purposes of targeted advertising or any sale of the consumer's personal data through an opt-out preference signal sent, with the consumer's consent, by a platform, technology, or mechanism to the controller indicating the consumer's intent to opt out of the processing or sale.”
How to respond to consumer requests under the Minnesota Consumer Data Privacy Act (MCDPA)?
Unless certain exceptions apply, controllers have to comply with a consumer request and have to “provide one or more secure and reliable means for consumers to submit a request to exercise the consumer's rights” which “must take into account the ways in which consumers interact with the controller and the need for secure and reliable communication of the requests.”
Controllers have to respond to consumer requests “as soon as feasibly possible, but no later than 45 days of receipt of the request” and “must inform a consumer of any action taken on a request without undue delay and in any event within 45 days of receipt of the request,” which “may be extended once by 45 additional days where reasonably necessary, taking into account the complexity and number of the requests” but the controller has an obligation to “inform the consumer of any extension within 45 days of receipt of the request, together with the reasons for the delay.”
It is not permitted for controllers to require consumers to create a new account in order to exercise a right, but a controller is allowed to require a consumer to use an existing account to exercise their consumer's rights.
If they do not take action on a consumer request, controllers have to inform the consumer “without undue delay and at the latest within 45 days of receipt of the request of the reasons for not taking action and instructions for how to appeal the decision.”
Information provided to consumers has to be “free of charge up to twice annually to the consumer,” however in cases where requests from a consumer are “manifestly unfounded or excessive, in particular because of the repetitive character of the requests, the controller may either charge a reasonable fee to cover the administrative costs of complying with the request, or refuse to act on the request” but the controller bears the burden of demonstrating the manifestly unfounded or excessive character of the request.
If they are unable to authenticate the request “using commercially reasonable efforts,” controllers are not required to comply with the request. In such cases, controllers may request for additional information which is reasonably necessary to authenticate the request.
In the case of opt-out requests, a controller is not required to authenticate an opt-out request, but they may deny an opt-out request if they have “a good faith, reasonable, and documented belief that the request is fraudulent” in which case they have to notify the person who made the request that the request was denied due to the belief that the request was fraudulent and they have to state their basis for that belief.
Controllers have to “establish an internal process whereby a consumer may appeal a refusal to take action on a request to exercise” their consumer rights “within a reasonable period of time after the consumer's receipt of the notice sent by the controller. The appeal process has to be conspicuously available and has to be as easy to use as submitting requests. Controller have 45 days from receipt of an appeal to inform the consumer of any action taken or not taken and this period can be extended by an additional 60 days “where reasonably necessary, taking into account the complexity and number of the requests serving as the basis for the appeal,” but the controller has to “inform the consumer of any extension within 45 days of receipt of the appeal, together with the reasons for the delay.”
When informing a consumer of any action taken or not taken in response to an appeal, controllers have to also provide a written explanation of the reasons for their decision and have to provide the consumer with information about how to file a complaint with the Office of the Attorney General.
A record of all appeals and responses to these has to be maintained “for at least 24 months and shall, upon written request by the Attorney General as part of an investigation, compile and provide a copy of the records to the Attorney General.”
