Two More States Enact Data Privacy Laws: What Employers Need to Know

Consumer and data privacy laws have been popping up everywhere lately. Soon, nearly half the nation will have active consumer privacy data laws. It may seem overwhelming, but we are here to help you get up to speed.

Recently, we covered multiple other states that enacted data privacy laws, such as Iowa, Indiana, Florida, Montana, and Texas. Two states have signed off on new consumer privacy laws to add to the growing list of consumer and data protections nationwide. Below is a quick overview of some highlights of Rhode Island and Minnesota's new consumer data privacy laws.

Minnesota's new data privacy law

On May 24, Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MNCDPA), officially making Minnesota the 19th state to enact a consumer data privacy law.

Who does Minnesota’s data privacy law apply to?

Minnesota’s data privacy law applies to organizations that conduct business in the state or produce products or services that target Minnesota consumers (including candidates). The business must also meet one of the following thresholds during the preceding calendar year:

• Control or process the personal data of 100,000 Minnesota consumers or more or
• Derive more than 25 percent of gross revenue from the sale of personal data and process or control the personal data of at least 25,000 Minnesota consumers.

What does the law include?

The MNCPDA will require businesses and organizations handling personal data to provide privacy rights to Minnesotans. Eligible companies must also address the consumer’s right to:

• Confirm whether a controller is processing the consumer's data and the right to access the data

• Correct inaccurate personal data
• Require deletion of personal data (subject to exceptions)
• Data portability
• Obtain a list of third parties to which the controller disclosed the consumer's data
• Opt out of targeted advertising, the sale of personal data, and the use of personal data for profiling by automated means that produce legal or significant effects. Controllers must also adhere to opt-out requests submitted by universal opt-out mechanisms (UOOMs).

The MNCPDA also addresses automated profiling that produces legal or similarly significant effects. However, the MNCPDA does not have a private right of action, meaning individuals cannot file suit if there is a violation. Instead, the state Attorney General's Office will enforce the new law exclusively, with civil penalties of up to $7,500 per violation after a temporary cure period expiring on January 31, 2026.

The Minnesota Consumer Data Privacy Act will go into effect on July 31, 2025. To read the full text of Minnesota’s Consumer Data Privacy law, take a closer look here.

Rhode Island's upcoming data privacy law

”The Rhode Island Data Transparency and Privacy Protection Act” was signed into law on June 29, 2024. The act's model is similar to the Washington Privacy Protection Act, but it has some distinct differences.

How is Rhode Island’s privacy law different?

• The act includes a unique privacy notice requirement mandating entities to disclose the third parties they sell or “may sell” personally identifiable information to.
• The act does not include some provisions that have become commonplace in recently passed laws, such as data minimization language and an obligation to recognize universal opt-out mechanisms.

Enforcing the new rules

The state Attorney General will enforce the act without a private right of action. It is the first state consumer data privacy law without a cure right. Violations of the act are enforceable under the state’s deceptive trade practice act. Entities that “intentionally disclose personal data” to a shell company or entity created to circumvent the act or in violation of any provision of the act shall pay a fine of between $100 and $500 for each such disclosure.

Rhode Island's privacy act will go into effect on January 1, 2026. Read the full text here to see the details of Rhode Island’s upcoming privacy law changes.

The future of privacy and data protection laws across the US

Adding two new privacy and data protection laws is a growing response to the need for better privacy regulations in a world where personal data is closer to our fingertips than ever before, not just in IT but for all areas across an organization.

Data and privacy laws not only apply to customers but can directly impact how organizations handle candidate data in the screening and onboarding process. Employers operating in or hiring remotely in states with data privacy laws may want to consult their legal counsel to see how new and existing data privacy laws affect business and hiring practices. Verified Credentials will do its best to provide the latest updates on upcoming data privacy laws as they become available.