Effective Date: July 31, 2025

The Minnesota Consumer Data Privacy Act (MCDPA), enacted in 2024, gives Minnesota residents broad consumer privacy rights and imposes obligations on businesses handling their personal data. While similar to laws like California’s CCPA and Virginia’s CDPA, it introduces several unique provisions. Like most state data privacy laws, the MCDPA does not provide a private right of action and will be enforced exclusively by the Minnesota Attorney General.

Does the MCDPA apply to your business?

Your business may be subject to the MCDPA if you operate in Minnesota or target its residents and handle personal data. The law applies if you:

• Process data from 100,000+ Minnesota consumers annually (excluding data used only for payment transactions), or
• Derive 50%+ of revenue from selling personal data of 25,000+ Minnesota consumers.

In practice: If you only collect data to process payments (like swiping cards at checkout), it doesn’t count toward the 100,000 threshold. But if you collect other personal information (like names, emails, or marketing data), it does count and could mean you are subject to the law.

Note: Small businesses, per U.S. SBA size standards, are subject to fewer requirements under the MCDPA, regardless of whether they meet the general applicability thresholds above. However, they are still prohibited from selling sensitive data (e.g., health, race, religion, precise geolocation, or children’s data) without consent. It’s important to review the SBA size standards carefully to determine if your business qualifies for this exception.

Consumer Rights

Minnesota residents may:

• Opt-out of personal data sales, targeted advertising, and profiling.
• Access, review, correct, delete, and obtain a copy of their personal data.
• Request a list of third parties their data has been disclosed to.
• Challenge profiling decisions and request reevaluation if based on incorrect data.

Business Obligations

Opt-Out & Consumer Requests

Businesses must offer a clearly labeled “Your Privacy Rights” or “Your Opt-Out Rights” link on their website to an opt-out mechanism, respond to consumer requests within 45 days, and maintain a written appeals process for denied requests.

Privacy Notice Requirements

Privacy notices must be available in all marketing languages, clearly posted on the homepage with a link including the word “privacy”, and updated regularly, with consumers notified of any material changes to privacy practices or the notice itself.

Notices must include:

• Categories of personal data processed and purposes for processing
• Description of consumer rights and how to exercise them
• Categories of third parties that data is disclosed or sold to
• Whether data is used for targeted advertising or profiling
• Information about data retention practices for processed data
• Business contact information
• Date of last update to privacy notice

Note: If your general privacy policy meets these requirements, a separate Minnesota-specific notice is not necessary.

Data Handling & Security

Businesses must collect only necessary data, avoid discriminatory practices, and implement administrative, technical, and physical safeguards for data collection. They must also:

• Assign and identify a compliance contact
• Maintain data inventory and compliance documentation
• Conduct Data Protection Assessments for high-risk processing
• Recognize universal opt-out mechanisms (e.g., browser privacy signals)

Key Differences from Other State Laws

• Profiling Oversight: Minnesota uniquely gives consumers the right to question automated profiling decisions, understand the reasoning, and request corrections if based on inaccurate data.
• Precise Geolocation: Defines precise geolocation as information identifying a consumer’s location within three decimal degrees of latitude and longitude (~360 feet) or revealing a street address.
• Access Limits: The MCDPA is the first state law to explicitly exclude certain sensitive information – such as Social Security numbers, driver’s license numbers, or biometric identifiers – from consumer access requests. Instead of providing the actual data, businesses must describe the type of sensitive information collected clearly enough for consumers to understand what is held, without disclosing the specific details. This enables transparency without compromising security or privacy.
• Health and Financial Exemptions: MCDPA does not fully exempt HIPAA- or GLBA-covered entities. Instead, it provides narrower, data-specific exemptions.
• Nonprofit Coverage: Most nonprofits are not exempt, except those engaged in preventing insurance fraud.
• Compliance Requirements: Businesses must maintain a data inventory and document the policies and procedures adopted to comply with the MCDPA.

Enforcement & Penalties

There is no private right of action, meaning only the Minnesota Attorney General may enforce the MCDPA. From July 31, 2025 through January 31, 2026, a 30-day cure period applies after a violation notice. Beginning February 1, 2026, enforcement may proceed without notice. Violations may result in injunctions and civil penalties of up to $7,500 per violation, plus the cost of investigation and litigation.

Need Help Preparing for MCDPA?

We advise businesses on compliance with consumer data privacy laws nationwide. Contact us to ensure you’re ready for Minnesota’s new requirements.