In the past several weeks, the Minnesota governor has signed into law the Minnesota Consumer Data Privacy Act, while the Vermont Data Privacy Act has been passed by the legislature and awaits the governor’s signature. Both of these laws include provisions that depart from the general model set by state comprehensive privacy laws enacted to date.
Vermont’s bill is particularly notable because it is the first state comprehensive privacy law to include a private right of action for privacy-related violations. (The California Consumer Privacy Act, the only other comprehensive privacy law with a private right of action, limits the applicability of its cause of action to certain security incidents.) The bill has received strong opposition from certain business groups that are urging Vermont’s governor to veto the law. Assuming it is eventually signed into law, “large data holders” and data brokers registered under Vermont’s data broker law (the types of entities that are subject to Vermont’s private right of action provisions) should especially review the law’s requirements to better understand how their privacy compliance programs may need to be updated accordingly or else face potential litigation risk.
Congress continues to debate the American Privacy Rights Act (APRA) in the backdrop of states passing new privacy laws. APRA is currently being evaluated by the House Committee on Energy and Commerce. Notably, the proposal includes provisions to preempt certain state privacy laws, including most comprehensive privacy laws. This would provide some clarity for businesses on where to look for their compliance obligations. But the current version of APRA also includes a private right of action. If passed into law as is, companies would have to worry about potential class action risk under the new federal privacy law.
In this post, we summarize the notable features of these two laws and highlight key takeaways for companies looking to keep their compliance postures up to date. To stay abreast of the latest developments in state privacy law, please subscribe to the WilmerHale Privacy and Cybersecurity Law Blog.
Minnesota Consumer Data Privacy Act
The Minnesota legislature passed the Minnesota Consumer Data Privacy Act (MCDPA) on May 19 as part of HF 4757, a broader omnibus bill. Minnesota Governor Tim Walz signed HF 4757 into law on May 24, and the MCDPA will take effect on July 31, 2025.
Notable elements of the MCDPA include:
- Right to Challenge Profiling Decisions. The MCDPA grants consumers several rights in relation to a company’s use of personal data for profiling in furtherance of decisions that produce legal or similarly significant effects concerning a consumer, including:
- The right to “question the result of the profiling”;
- The right to “be informed of the reason that the profiling resulted in the decision”;
- The right, if feasible, to “be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future”;
- The right to “review the consumer's personal data used in the profiling”; and
- The right, if a decision is found to have been based on inaccurate personal data, to “have the data corrected and the profiling decision reevaluated based upon the corrected data.”
- Right to Obtain List of Specific Third-Party Data Recipients. The MCDPA grants consumers the right to obtain from a data controller a list of specific third parties with whom that consumer’s personal data has been shared.
- Data Inventory. The MCDPA requires that controllers maintain a data inventory as part of implementing reasonable security practices. Notably, the Act does not define or provide further guidance regarding this data inventory requirement.
- Policy Documentation and Chief Privacy Officer Requirements. The MCDPA requires that controllers document policies and procedures implemented to comply with the Act and identify their chief privacy officer or equivalent individual.
Vermont Data Privacy Act
The Vermont legislature passed the Vermont Data Privacy Act (VDPA) on May 11, as part of House Bill 121, a larger bill that also includes an Age-Appropriate Design Code and revisions to Vermont’s data broker law.
The VDPA has not yet been signed into law by Vermont’s governor. Indeed, there is some speculation that the governor may veto the bill due to concerns over its private right of action. However, if signed by the governor, the VDPA would generally take effect on July 1, 2025 (with exceptions for certain provisions).
Notable elements of the VDPA include:
- Limited Private Right of Action. If signed into law by the governor, the VDPA would become the nation’s first state comprehensive privacy law with a private right of action for privacy violations. The VDPA’s private right of action, however, would be subject to several important limitations. First, it would apply only to data brokers and “large data holders” (companies processing personal data of at least 100,000 Vermont residents). Second, it would only apply to specific violations of the VDPA, namely its requirement of consumer consent for sensitive data processing, prohibition on the sale of sensitive data, and provisions related to the confidentiality of consumer health data. Third, it would not take effect until 2027 and, absent legislative intervention, would expire in 2029.
- Step-Down Applicability Thresholds. The VDPA generally applies to entities that conduct business in Vermont or target products or services to Vermont residents and satisfy at least one of the following thresholds: (1) controlling or processing personal data of at least 25,000 Vermont residents in the previous calendar year; or (2) controlling or processing personal data of at least 12,500 Vermont residents in the previous calendar year and deriving more than 25% of their gross revenue from the sale of personal data. Notably, however, the VDPA includes provisions that will gradually lower the Act’s applicability thresholds over time. Specifically:
- Effective July 1, 2026, the VDPA will apply to entities that (1) control or process personal data of at least 12,500 Vermont residents or (2) control or process personal data of at least 6,250 Vermont residents and derive more than 20% of their gross revenue from sale of personal data.
- Effective July 1, 2027, the VDPA will apply to entities that (1) control or process personal data of at least 6,250 Vermont residents or (2) control or process personal data of at least 3,125 Vermont residents and derive more than 20% of their gross revenue from the sale of personal data.
- Data Minimization Requirements. Like the recently enacted Maryland Online Data Privacy Act, the VDPA would impose a data minimization requirement on companies, requiring them to limit data collection to personal information “reasonably necessary and proportionate” to deliver a product or service requested by the consumer.
- Right to Obtain List of Specific Third-Party Data Recipients. Like the MCDPA, the VDPA grants consumers the right to obtain from a business a list of specific third parties with whom that consumer’s personal data has been shared.
- Limited Prohibition on Sale of Sensitive Data. The VDPA would prohibit the sale of consumers’ sensitive data. However, the VDPA’s definition of “sale of personal data” excludes, among other things, “the disclosure of personal data where the consumer directs the controller to disclose the personal data” and “the disclosure of personal data to a third party for purposes of providing a product or service requested by the consumer.” As such, to the extent that a company has a consumer’s consent, it would not be subject to this prohibition.
- Broad Definitions of Sale and Targeted Advertising. The VDPA defines the terms “sale of personal data” and “targeted advertising” more broadly than the typical state comprehensive privacy law.
- "Sale of personal data,” for example, is defined as “the exchange of a consumer’s personal data by the controller to a third party for monetary or other valuable consideration or otherwise for a commercial purpose” (emphasis added), thus going beyond most states’ definitions of “sale,” which are typically limited to monetary or other valuable consideration.
- Targeted advertising, meanwhile, is defined as “the targeting of an advertisement to a consumer based on the consumer’s activity with one or more businesses, distinctly branded websites, applications, or services, other than the controller, distinctly branded website, application, or service with which the consumer is intentionally interacting” (emphasis added) — meaning, for example, that targeting ads based on consumer activity across two distinctly branded websites owned by the same business would fall within the ambit of the law.