Overview
- Effective July 31, the law grants Minnesota residents Locked+ data rights to list, opt out, copy, know, edit, delete and challenge automated decisions.
- It applies to businesses processing personal data of at least 100,000 Minnesota residents, those deriving over 25% of revenue from data sales serving 25,000 or more consumers, and certain education technology providers.
- Controllers must publish clear privacy notices, maintain data inventories and risk assessments, uphold security practices and honor browser opt-out signals under a formal governance program.
- Consumers have 45 days to receive a response to data requests before they can file complaints with the Minnesota Attorney General’s Office.
- Businesses will face warning letters and a 30-day cure period through January 31, 2026, after which uncured violations may incur civil fines up to $7,500 per breach.