Consumer and data privacy laws have been popping up everywhere lately. Soon, nearly half the nation will have active consumer privacy data laws. It may seem overwhelming, but we are here to help you get up to speed.
Recently, we covered multiple other states that enacted data privacy laws, such as Iowa, Indiana, Florida, Montana, and Texas. Two states have signed off on new consumer privacy laws to add to the growing list of consumer and data protections nationwide. Below is a quick overview of some highlights of Rhode Island and Minnesota's new consumer data privacy laws.
On May 24, Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MNCDPA), officially making Minnesota the 19th state to enact a consumer data privacy law.
Who does Minnesota’s data privacy law apply to?
Minnesota’s data privacy law applies to organizations that conduct business in the state or produce products or services that target Minnesota consumers (including candidates). The business must also meet one of the following thresholds during the preceding calendar year:
What does the law include?
The MNCPDA will require businesses and organizations handling personal data to provide privacy rights to Minnesotans. Eligible companies must also address the consumer’s right to:
The MNCPDA also addresses automated profiling that produces legal or similarly significant effects. However, the MNCPDA does not have a private right of action, meaning individuals cannot file suit if there is a violation. Instead, the state Attorney General's Office will enforce the new law exclusively, with civil penalties of up to $7,500 per violation after a temporary cure period expiring on January 31, 2026.
The Minnesota Consumer Data Privacy Act will go into effect on July 31, 2025. To read the full text of Minnesota’s Consumer Data Privacy law, take a closer look here.
”The Rhode Island Data Transparency and Privacy Protection Act” was signed into law on June 29, 2024. The act's model is similar to the Washington Privacy Protection Act, but it has some distinct differences.
How is Rhode Island’s privacy law different?
Enforcing the new rules
The state Attorney General will enforce the act without a private right of action. It is the first state consumer data privacy law without a cure right. Violations of the act are enforceable under the state’s deceptive trade practice act. Entities that “intentionally disclose personal data” to a shell company or entity created to circumvent the act or in violation of any provision of the act shall pay a fine of between $100 and $500 for each such disclosure.
Rhode Island's privacy act will go into effect on January 1, 2026. Read the full text here to see the details of Rhode Island’s upcoming privacy law changes.
Adding two new privacy and data protection laws is a growing response to the need for better privacy regulations in a world where personal data is closer to our fingertips than ever before, not just in IT but for all areas across an organization.
Data and privacy laws not only apply to customers but can directly impact how organizations handle candidate data in the screening and onboarding process. Employers operating in or hiring remotely in states with data privacy laws may want to consult their legal counsel to see how new and existing data privacy laws affect business and hiring practices. Verified Credentials will do its best to provide the latest updates on upcoming data privacy laws as they become available.