Consenteo Logo
Back to Knowledge Hub

How to Comply with the Minnesota Consumer Data Privacy Act?

Learn about the Minnesota Consumer Data Privacy Act (MCDPA), a new US state privacy law effective July 31, 2025. Understand its scope, consumer rights, business obligations, and compliance requirements to navigate the evolving data privacy landscape.

Doğancan Doğan
CCPA
How to Comply with the Minnesota Consumer Data Privacy Act?

The state of Minnesota has joined the US data privacy landscape with the enactment of the Minnesota Consumer Data Privacy Act (MCDPA). Signed into law in May 2024, this legislation will take effect on July 31, 2025, introducing new obligations for businesses and rights for consumers.

Official Text: Minnesota Consumer Data Privacy Act Effective Date: July 31, 2025 Enforcement Agency: Minnesota Attorney General Penalties: Civil penalties up to $7,500 per violation

What is the Minnesota Consumer Data Privacy Act (MCDPA)?

As data privacy becomes increasingly critical, more US states are implementing their own privacy laws. Minnesota's entry, the MCDPA, shares similarities with other state laws, like New Hampshire's, but also includes distinct provisions. While it grants consumers standard rights such as confirmation and opting out, a notable addition is the right to challenge automated profiling outcomes. The law imposes stringent requirements on businesses handling personal data.

Who Does the Minnesota Consumer Data Privacy Act Apply To?

The Minnesota privacy law applies to businesses operating within the state or those targeting products/services at Minnesota residents, provided they meet one of the following annual thresholds:

  • Control or process the personal data of 100,000 or more consumers (excluding data processed solely for payment transactions).
  • Control or process the personal data of 25,000 or more consumers and derive over 25% of their gross revenue from the sale of personal data.

The scope also extends to technology providers as defined under the Education record law.

Who Does the Minnesota Consumer Data Privacy Act Not Apply To?

The MCDPA includes exemptions for several entities, such as government bodies, federally recognized Indian tribes, entities and data covered by HIPAA (Health Insurance Portability and Accountability Act), and personal data governed by the Gramm-Leach-Bliley Act.

Beyond these standard exemptions, the law also exempts small businesses (except for provisions related to the sale of sensitive data) and non-profit organizations involved in the detection and prevention of insurance fraud.

What is Personal Data Under the Minnesota Consumer Data Privacy Act?

Under Minnesota privacy law, "personal data" is defined similarly to other US privacy statutes. It encompasses any information linked or reasonably linkable to an identified or identifiable individual.

This definition explicitly excludes publicly available information or de-identified data. Publicly available information includes data found in government records, widely accessible media, or information the controller reasonably believes has been lawfully made available to the general public.

What is Sensitive Data Under the Minnesota Consumer Data Privacy Act?

The MCDPA categorizes certain types of personal data as "sensitive." Processing sensitive data requires explicit consumer consent. These categories include personal data revealing:

  • Racial or ethnic origin
  • Religious beliefs
  • Mental or physical health conditions or diagnoses
  • Sexual orientation
  • Citizenship or immigration status
  • Biometric or genetic information processed for identification purposes
  • Personal data of an individual known to be a child
  • Specific geolocation data

Minnesota's consent requirements align with those found in most US privacy laws. Consent is defined as a freely given, specific, informed, and unambiguous indication of a consumer's wishes, by which they signal agreement to the processing of their personal data.

Businesses must be cautious about what constitutes valid consent. Relying solely on acceptance of general or broad terms is not sufficient. Similarly, passive actions like hovering over, muting, pausing, or closing a cookie banner or similar content do not count as consent. The law explicitly prohibits using dark patterns to obtain consent.

We will explore the specific situations requiring businesses to obtain consent later in this article.

What are the Privacy Notice Requirements Under the Minnesota Consumer Data Privacy Act?

The law mandates comprehensive and clearly presented privacy notices. Your privacy notice must include:

  • Categories of personal data processed by your business.
  • Specific purposes for data processing.
  • Explanation of consumer rights and how to exercise them, including the appeal process.
  • Categories of personal data your business sells or shares with third parties.
  • Categories of third parties with whom data is sold or shared.
  • Controller's contact information (including an active email address or other online mechanisms).
  • Controller's data retention policy.
  • The date the privacy notice was last updated.
  • If data is used for targeted advertising, profiling, or sale, disclosure of this practice and an opt-out link titled "Your Opt-Out Rights" or "Your Privacy Rights."

The privacy notice must be easily accessible and available in all languages your business uses to provide products or services covered by the notice.

What are the Obligations of Businesses Under the Minnesota Consumer Data Privacy Act?

Businesses subject to the MCDPA must fulfill the following obligations:

  • Transparency: As mentioned, businesses must provide a clear and easily understandable privacy policy that is easily accessible and usable by individuals with disabilities. You must also inform users of changes to the policy through reasonable electronic means and allow them to withdraw consent if required. The privacy notice should be accessible via a clear "privacy" link on your website's homepage, app store page, or download page. For mobile apps, it should also be findable in the app's settings or an equally prominent location.
  • Data Minimization: Limit the collection of personal data to only what is adequate, relevant, and necessary to fulfill the purpose disclosed to the consumer.
  • Purpose Limitation: Data collected can only be used for the purposes disclosed to the consumer unless additional consent is obtained. You cannot retain personal data longer than necessary for its original purpose, unless required by law.
  • Security Safeguards: Implement appropriate technical, physical, and administrative security measures that are proportionate to the volume and nature of the data processed to protect the confidentiality of personal data under your control.
  • Consent: Obtain consumer consent before processing sensitive data. For children under 13, secure verifiable parental consent in line with COPPA (Children's Online Privacy Protection Act). The sale of sensitive data requires consumer consent from all businesses, including small businesses. Consent is also necessary for processing the personal data of individuals aged 13 to 16 for targeted advertising, sales, and profiling. Consumers have the right to withdraw consent at any time. You must provide convenient mechanisms for withdrawal and stop processing data within 15 days of receiving a revocation request.
  • Non-discrimination: The MCDPA prohibits discriminating against consumers for exercising their rights. Furthermore, businesses cannot process personal data in a discriminatory manner based on protected characteristics (race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, income source, or disability) when offering housing, employment, credit, education, goods, privileges, advantages, or public accommodations.
  • Data Privacy Policies: A unique requirement is for businesses to document and maintain policies and procedures demonstrating compliance with the law's obligations. This documentation must include data protection strategies and the name and contact information of the chief privacy officer.
  • Data Privacy and Protection Assessments: Businesses must conduct assessments for high-risk data processing activities, such as processing sensitive data or using personal data for profiling. These assessments must remain confidential.
  • Contractual Relationship: Establish contracts with processors and third parties involved in data processing, ensuring their compliance with the law. Contracts should specify the nature and purpose of processing, its duration, and the types of data involved.
  • Global Opt-outs: The law requires businesses to recognize universal opt-out signals.
  • Response to Consumer Requests: Respond to consumer requests within 45 days, with a possible extension of another 45 days if the consumer is promptly notified. Businesses must fulfill information requests free of charge twice annually per person. Businesses cannot directly disclose the following information in response to a consumer request: social security numbers, driver's license numbers or other government identifiers, financial account numbers, health insurance numbers or medical identification numbers, account passwords, security questions or answers, or biometric data.
  • Appeal: Businesses must establish a process for consumers to appeal the refusal of a consumer request. Respond to the appeal within 45 days, which can be extended by another 60 days if necessary.

What are the Rights of Businesses Under the Minnesota Consumer Data Privacy Act?

The Minnesota privacy law grants consumers the following rights:

  • Right to Confirm: Consumers can confirm if a business is processing their personal data and access the categories of such data.
  • Right to Correct: Consumers can request correction of inaccurate personal data.
  • Right to Delete: Consumers have the right to request the deletion of their personal data.
  • Right to Portability: Consumers can obtain personal data they provided to the controller in a portable and readily usable format.
  • Right to Opt-out: Consumers can opt out of:
    • Targeted advertising
    • Profiling
    • Sale of personal data
  • Right to Question: This unique right allows consumers to challenge the results of profiling and be informed of the reasons behind the decision. They can also review the personal data used for profiling. If the profiling decision was based on incorrect information, they can correct the data and request a reevaluation.
  • Right to Obtain: Consumers can obtain a list of specific third parties with whom their personal data is shared. If the controller does not maintain records specific to the consumer, they can provide a list of all third parties with whom any consumer's personal data has been shared.

Enforcement of the Minnesota Consumer Data Privacy Act

The Minnesota Attorney General holds exclusive enforcement authority under the law; there is no private right of action for consumers.

The law includes a cure provision valid until January 31, 2026. Before taking legal action, the Attorney General will issue a warning letter and provide 30 days to rectify the violation. If the violation persists beyond this cure period, legal action may follow. The law allows for a civil injunction and penalties of $7,500 per violation.

Checklist: Minnesota Consumer Data Privacy Act Compliance

  • Implement data minimization and purpose limitation practices.
  • Obtain prior consent for processing and selling sensitive data.
  • Do not process the personal data of consumers aged 13 to 16 for targeted advertising, profiling, or sale without prior consent.
  • Adhere to COPPA regulations when processing personal data of children under 13.
  • Provide opt-out mechanisms for targeted advertising, sale of personal data, and profiling.
  • Recognize universal opt-out signals.
  • Provide a clear and easily accessible privacy notice.
  • Document and maintain policies and procedures to demonstrate compliance.
  • Respond to consumer requests promptly.
  • Establish contractual relationships with data processors and third parties.
  • Avoid discriminating against consumers.
  • Conduct data protection impact assessments.

FAQ on Minnesota Privacy Law

Does Minnesota have a privacy law?

Yes, the Minnesota Consumer Data Privacy Act was approved by the governor in May 2024 and becomes efectiva from July 2025. The law requires businesses to comply with obligations such as data minimization, purpose limitation, providing a privacy notice, and obtaining consent. While it shares similarities with many US privacy laws, it also includes unique provisions.

What are the rights of consumers?

The Minnesota law grants consumers the right to confirm whether their data is being processed, the right to correct inaccurate data, the right to delete their data, the right to data portability, the right to opt out of targeted advertising, profiling, and data sale, the unique right to question the results of profiling, and the right to obtain a list of third parties with whom their personal data is shared.

Need Privacy Guidance?

Our experts can help you implement best practices and ensure compliance. Let's connect.

Schedule a ConsultationExplore Our Services