The MCPA uses the term “controller” which is like the definition that appears in the General Data Protection Regulation (GDPR) and other data privacy laws. Controller means the “natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of personal data.” The MCPA defines “consumer” as a natural person who is a Minnesota resident acting only in an individual or household context. Consumer does not include a natural person acting in a commercial or employment context. This means that the MCPA does not apply to personal data relating to job applicants, employees, and individuals acting in their capacity as business representatives. For the purposes of the MCPA a “sale” includes an exchange of personal data for monetary consideration or “any other valuable consideration.” The MCPA specifically applies to “technology providers” that contract with public education agencies and institutions pursuant to Minnesota Statute § 13.32. MCPA Exemptions The MCPA includes exemptions for certain types of businesses and data. Governmental entities, federally recognized Indian tribes, “small business{es}” as defined by the U.S. Small Business Administration regulations, air carriers under the Airline Deregulation Act, and certain kinds of banks, credit unions and insurance companies are exempt. Unlike the California Consumer Privacy Act (“CCPA”) and other state data privacy laws, there is no broad exemption for non-profits. Non-profits are exempt if they are “established to detect and prevent fraudulent acts in connection with insurance.” The MCPA does not include an entity-level exemption for companies that are covered entities or business associates under HIPAA. The data-level exemptions are consistent with most other state privacy laws. Specifically, the Minnesota Act exempts data regulated by HIPAA,
83
Made with FlippingBook - Online Brochure Maker