In 2024, Minnesota became the 18th state to pass a comprehensive consumer privacy law, the Minnesota Consumer Data Privacy Act, generally referred to as MNCDPA (Minnesota, like Texas, likes to include its state abbreviation wherever possible). The law went into effect on July 31, 2025 for most entities, while some have a delayed implementation.
Much of the law will be very familiar to anyone who has been working with these comprehensive data privacy laws since 2018, when California first passed the California Consumer Privacy Act.
One of the biggest differences, though, is the new requirement under the MNCDPA to inventory data. The law requires a data controller to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data, including the maintenance of an inventory of the data that must be managed to exercise these responsibilities.”
As we frequently say to our clients, on our webinars, and to anyone who will stand still long enough to hear us: “How can you protect it if you don’t know it exists?” A data inventory is critical to managing your information, and if you do business with Minnesotans, it’s now required.
A data inventory generally looks at what information you have, where it’s stored, how it’s processed, and how it’s managed. A Personal Data Inventory is focused on just the personal information your organization collects, uses, maintains, and shares with third parties, as well as the processes surrounding that activity.
Because the MNCDPA is focused on consumer privacy protection, your mandated data inventory could just look at the flow of customer personal information in your organization. We recommend, however, that every organization create a holistic Personal Data Inventory (PDI) for all the personal information in the organization, not just the consumer personal information, for several reasons.
- First, there are lots of compliance requirements regarding employment or contract information that aren’t covered by a consumer data privacy law but for which a PDI will help.
- Second, a PDI can be of considerable help in production and responding to discovery in litigation.
- Third, state security breach notification laws mandate response if you suffer a breach affecting sensitive data like Social Security numbers, driver’s license numbers, or bank account information. You’re more likely to have this information about employees or independent contractors than your customers, so knowing what you have and where it is will be critical in responding to an incident.
As you’re putting your data inventory together, it’s tempting to purchase any of the dozens of tools that promise you an inventory and to just use that to identify what you have. Tools are great, but keep in mind that while those tools will tell you what specific data points exist in your systems, and where, at the point in time of the survey, they won’t tell you why the data is in that particular system, or what it’s being used for, or what protections exist.
While the new Minnesota law does not specifically mandate that your data inventory contain that information, it does require that your inventory identify the information “that must be managed” as part of your security program, which means you need to understand a bit more about your data to properly protect it. Furthermore, a tool will not tell you a single thing about non-electronic data, and it will not tell you about data that exists outside your systems that IT doesn’t know about.
“How can you protect it if you don’t know it exists?”
The most comprehensive way to get a good data inventory is to ask. Talk to your business units – all of them – and ask them about the personal information they collect, use, maintain, etc. Ask them about the collection purpose and about what data points are being collected, where they get stored, and who they are shared with. (When we do this with clients, I tell my interviewees that the interview is a judgment-free zone: if you tell me you’re selling personal information on the internet, I may cry about it later, but I will write it down right now because it’s just a data point that I’m collecting.)
And ask them about their processes, not just their data, because that’s how you’ll figure out how to best to protect the information your organization has and uses. This will not only help your compliance with this one specific law, but it will also improve your privacy, security, and/or compliance program as a whole, enabling you to meet your data protection obligations holistically and with less effort.
Learn more about conducting a Personal Data Inventory (PDI) focused on just the personal information your organization collects, uses, maintains, and shares with third parties, as well as the processes surrounding that activity. Reach out to us at info@contoural.com for more information.