How Minnesota’s New Consumer Data Privacy Act and California’s AI Employment Rules Signal a New Era for U.S. Data Protection

In August 2025, two significant legislative developments are reshaping the landscape of data protection in the United States. Minnesota’s Consumer Data Privacy Act (MCDPA) and California’s new AI Employment Discrimination Regulations are setting new standards for how organizations handle data privacy and AI-driven decision-making.

Minnesota’s Consumer Data Privacy Act: A New Benchmark

The MCDPA, effective from July 31, 2025, introduces stringent requirements that surpass previous state laws. Key provisions include mandatory data inventories, the appointment of a Chief Privacy Officer, and expanded consumer rights. These rights allow consumers to challenge profiling and gain more insight into how their data is utilized.

Implications for Organizations Nationwide

Even if your organization is not based in Minnesota, the MCDPA could still impact you if you handle data from Minnesotan residents. The law’s rigorous requirements for data inventories and designated privacy officers may set a new standard for compliance programs across the U.S. Organizations should prepare to adapt their data management practices to align with these new expectations.

California’s AI Employment Regulations: Pioneering AI Compliance

Starting October 1, 2025, California’s regulations will address AI-driven discrimination in employment. These rules require employers to retain automated-decision data for at least four years and limit certain AI-driven assessments. This move marks a significant step towards regulating AI in human resources, signaling a trend towards more explicit oversight of AI technologies.

A New Compliance Frontier

California’s approach to AI in employment highlights the growing need for organizations to scrutinize their AI systems for potential biases. Data protection officers (DPOs) must ensure that their AI-driven processes comply with these new regulations, which could serve as a model for future legislation in other states.

Practical Steps for Data Protection Officers

To navigate these changes, DPOs should consider the following best practices:

1. Update Data Inventories: Ensure that your organization maintains comprehensive and up-to-date data inventories to comply with MCDPA requirements.
2. Review AI Systems for Bias: Regularly audit AI systems to identify and mitigate any biases that could lead to discriminatory outcomes.
3. Document and Retain Automated Decision Data: Implement robust documentation practices to retain automated decision data for the required duration, ensuring compliance with California’s regulations.

By taking these steps, organizations can better prepare for the evolving regulatory landscape and position themselves as leaders in data protection and compliance.

Other links on the web

• The Privacy & Security Download: August 2025
• 51 Useful Data Protection Resources: Blogs, Videos, Guides, Infographics, Tools & More
• Storage and Data Protection News for the Week of August 8
• Cyberhaven Blog
• CPPA Announcements