Minnesota CDPA and HIPAA: Entity Exemptions, Data Carve‑Outs, Compliance Checklist

The Minnesota CDPA (MCDPA) sits alongside HIPAA, shaping how you collect, use, share, and secure personal data. Understanding where entity exemptions, data carve‑outs, and HIPAA overlaps begin and end is essential to building a practical, defensible compliance program.

MCDPA Applicability Criteria

Who is in scope

MCDPA applies to organizations that conduct business in Minnesota or target products or services to Minnesota residents and meet threshold‑based criteria tied to controlling or processing consumer personal data. Applicability focuses on your role (controller or processor), the volume of Minnesota consumer data you handle, and the purposes for which you process it.

“Consumer” generally means a Minnesota resident acting in an individual or household context. Personal data linked or reasonably linkable to an identified person is in scope, while de‑identified and publicly available information are outside scope when handled according to the statute’s conditions.

Who is out of scope (at a high level)

• Public sector bodies and instrumentalities performing governmental functions.
• Federally recognized Indian tribes exemption for sovereign governmental activities.
• Processing already governed by specific federal or state regimes (see Data Exemptions Under MCDPA).

Key scope boundaries

Controllers determine the purposes and means of processing; processors act on a controller’s documented instructions. Sensitive data—such as precise geolocation, biometric identifiers, and children’s data—triggers heightened obligations, including opt‑in consent and risk analysis.

HIPAA Covered Entity Exemptions

What is exempt

MCDPA recognizes HIPAA’s domain. Protected health information (PHI) created, received, maintained, or transmitted by covered entities or their business associates is generally outside MCDPA when handled in accordance with HIPAA. This alignment reduces duplicative regulation and clarifies that HIPAA‑regulated workflows remain under HIPAA’s privacy and security rules.

Business associate compliance in mixed environments

HIPAA business associates benefit where they process PHI for covered entities, yet business associate compliance under MCDPA still matters for any processing that falls outside HIPAA. Think of non‑PHI lead lists, prospect marketing, event registrations, or consumer app telemetry—these can trigger MCDPA even within a healthcare enterprise.

State health privacy overlays

Minnesota Health Records Act obligations continue to govern clinical records maintained by providers. In addition, records subject to 42 CFR Part 2 protection for substance use disorder treatment carry independent confidentiality requirements. Segment these data sets and apply the strictest applicable rule to avoid cross‑contamination of permissions and disclosures.

Data Exemptions Under MCDPA

• Protected health information under HIPAA when processed by covered entities or business associates in conformity with HIPAA.
• Records subject to 42 CFR Part 2 protection for substance use disorder treatment programs.
• Health information regulated by the Minnesota Health Records Act held by qualifying providers.
• Financial data regulated by the Gramm‑Leach‑Bliley Act and its implementing regulations.
• Consumer reporting data processed pursuant to the Fair Credit Reporting Act.
• Student records covered by the Family Educational Rights and Privacy Act.
• Driver information governed by the Driver’s Privacy Protection Act.
• De‑identified or aggregate data handled according to statutory safeguards.
• Publicly available information, including lawfully made public government records.
• Research data processed under recognized research standards and oversight.

Non-HIPAA Regulated Data Considerations

Many healthcare‑adjacent activities are not PHI and can fall squarely under MCDPA. Examples include website analytics and pixels, patient acquisition funnels, wellness apps, retail clinic loyalty programs, connected devices, and call‑center recordings unrelated to treatment or payment.

Apply data minimization requirements by collecting only what you need, for stated purposes, with defined retention limits. When handling precise geolocation, biometrics, or children’s data, obtain opt‑in consent and complete sensitive data processing assessments before launching new uses, especially for targeted advertising or profiling.

Consumer Rights Under MCDPA

• Right to know and access: Receive confirmation of processing and a copy of personal data you hold about a consumer.
• Right to correction: Rectify inaccuracies considering the data’s nature and processing purposes.
• Right to deletion: Erase personal data, subject to statutory exceptions and retention duties.
• Right to portability: Provide a usable, commonly used, and portable format where feasible.
• Right to opt out: Stop processing for targeted advertising, sale of personal data, or certain profiling producing legal or similarly significant effects.
• Right to appeal: Offer an internal appeal mechanism and instructions if you deny a request.

You must respond within statutory timelines, verify requesters appropriately, avoid unjustified fees, and refrain from discrimination against consumers exercising their rights.

Business Compliance Obligations

Compliance checklist

• Map data: Classify PHI versus non‑PHI; tag sensitive data; record processing purposes and retention.
• Update notices: Publish clear, specific disclosures on purposes, categories, sharing, opt‑out methods, and appeals.
• Consent and children: Obtain opt‑in for sensitive data; align children’s consent with COPPA‑style standards.
• Honor opt‑outs: Enable user‑friendly controls for targeted ads, sale, and profiling; recognize authorized preference signals where required.
• DSAR operations: Build intake, identity verification, fulfillment, and appeals workflows with auditable SLAs.
• Processor governance: Execute data processing agreements, instructions, and security requirements; monitor processors.
• Security: Implement risk‑based safeguards, encryption, access controls, and incident response procedures.
• Data minimization requirements: Limit collection to what is adequate, relevant, and reasonably necessary; enforce retention and deletion schedules.
• Sensitive data processing assessments: Conduct and document assessments for high‑risk uses (e.g., targeted ads, sale, automated profiling, large‑scale sensitive data).
• Training and accountability: Educate staff; maintain records of processing, DSAR logs, and assessment repositories for audit readiness.
• Healthcare overlay: Align Minnesota Health Records Act, HIPAA, and MCDPA duties; formalize business associate compliance for non‑PHI operations.

Processor and vendor management

• Conduct diligence on advertising tech, analytics, hosting, and call‑center vendors that touch consumer data.
• Ensure contracts restrict secondary use, require security controls, and mandate timely assistance with consumer requests.
• Periodically test opt‑out mechanisms and vendor honoring of preference signals across web and mobile channels.

Enforcement and Penalties

Minnesota Attorney General enforcement is the primary mechanism. Expect investigative inquiries, civil penalties, injunctive relief, and mandated program improvements for non‑compliance. Good‑faith cooperation, prompt remediation, and strong documentation can materially influence outcomes.

Reduce exposure by maintaining a living data map, current assessments, DSAR metrics, and evidence that you systematically honor opt‑outs and apply least‑data principles. When in doubt, document your legal basis, alternatives considered, and how you mitigated risks before launch.

Bottom line: Treat HIPAA and MCDPA as complementary. Segregate PHI from consumer data, minimize collection, obtain valid consent for sensitive uses, operationalize requests and appeals, and be audit‑ready with records that show why your decisions were reasonable and lawful.

FAQs

What entities are exempt from the Minnesota CDPA?

Entity‑level carve‑outs include public sector bodies performing governmental functions and a federally recognized Indian tribes exemption for sovereign governmental activities. Sector‑specific carve‑outs also apply: HIPAA covered entities and business associates are exempt when processing PHI under HIPAA, and organizations handling data regulated by laws like GLBA, FCRA, FERPA, or the Minnesota Health Records Act are exempt to the extent of those regimes.

How does HIPAA impact MCDPA compliance?

HIPAA displaces MCDPA for PHI processed by covered entities and business associates, but MCDPA still applies to non‑PHI consumer data such as marketing analytics, websites, and wellness apps. Align both by segregating PHI, honoring MCDPA opt‑outs for non‑PHI, and documenting business associate compliance where you handle mixed data environments.

What types of data are carved out from the MCDPA?

Carve‑outs cover PHI under HIPAA, records under 42 CFR Part 2 protection, health information covered by the Minnesota Health Records Act, GLBA‑regulated financial data, FCRA consumer reporting data, FERPA student records, DPPA driver information, as well as de‑identified, aggregate, and publicly available information handled under statutory safeguards.

What are a business’s obligations for consumer data requests under MCDPA?

You must offer accessible submission methods; verify identity; provide access, correction, deletion, and portability where applicable; enable opt‑outs of targeted advertising, sale, and specified profiling; and maintain an appeals process. Respond within statutory timelines, explain denials, avoid discrimination, and keep records of requests and outcomes for accountability and audits.