The Minnesota Consumer Data Privacy Act

The Minnesota Consumer Data Privacy Act (MCDPA) was signed into law by Governor Tim Walz on May 24, 2024, establishing comprehensive privacy protections for Minnesota residents. The law becomes effective on July 31, 2025, with postsecondary educational institutions having until July 31, 2029, to comply.

The MCDPA distinguishes itself through unique features like the right to question profiling decisions, prescriptive rules for privacy notices, and comprehensive protections for sensitive data categories. Organizations must implement robust compliance programs that address technical requirements and consumer rights while maintaining detailed documentation of their privacy practices.

Last updated on January 1, 2025

The MCDPA applies to organizations that conduct business in Minnesota or produce products/services targeted to Minnesota residents and meet at least one threshold:

• Control/process personal data of 100,000+ consumers annually (excluding payment transactions)
• Control/process personal data of 25,000+ consumers while deriving over 25% of gross revenue from selling personal data

Exemptions include:

• Government entities and federally recognized Indian tribes
• Financial institutions subject to GLBA
• HIPAA-covered entities and business associates
• Airlines regulated by the Airline Deregulation Act
• Higher education institutions (until July 31, 2029)
• Nonprofit organizations focused on insurance fraud detection
• Small businesses (as defined by SBA, except for sensitive data sales)
• Public utilities

The law only applies to Minnesota residents acting in an individual context, not employment or commercial contexts.

The MCDPA grants Minnesota consumers the right to:  

• Access and confirm personal data processing
• Correct inaccuracies in their personal data
• Delete personal data
• Obtain a portable copy of their data
• Opt out of targeted advertising, data sales, and profiling
• Appeal denied requests
• Question and review automated decision-making results, including understanding the rationale and securing different decisions

Under the MCDPA, controllers must:

Technical Requirements

• Display “Privacy Rights” or an equivalent link on the homepage
• Implement Universal Opt-Out Mechanisms (UOOMs)
• Respond to consumer rights requests within 45 days (one 45-day extension permitted)
• Electronically notify consumers of material privacy policy changes
• Obtain consent from consumers aged 13-16 for data sales
• Implement reasonable security measures

Documentation Requirements

• Maintain data privacy policies and procedures
• Conduct data protection assessments for high-risk processing
• Document internal appeals processes
• Keep records of consumer requests and responses

The MCDPA defines sensitive data broadly to include the following protected categories:

• Racial/ethnic origin
• Religious beliefs
• Mental/physical health conditions
• Sexual orientation
• Citizenship/immigration status
• Biometric/genetic data
• Data of known children
• Precise geolocation data

The Act effectively establishes different consent requirements for children and teens:

• Children under 13: requires parental consent as sensitive data
• Teens 13-16: requires their own consent for targeted advertising/sales
• Individuals over 16: standard adult provisions apply

This aligns with COPPA’s definition of children as “under 13 years old” while adding additional protections for young teens that other privacy laws like GDPR (which defines children as under 16) have implemented.

The MCDPA generally takes a hybrid approach: 

• Opt-in required for sensitive data processing
• Opt-out rights for targeted advertising and data sales
• Recognition of universal opt-out mechanisms
• Clear and conspicuous opt-out methods required

The Minnesota Consumer Data Privacy Act is enforced exclusively by the state’s Attorney General, who can impose civil penalties of up to $7,500 for each violation of the law. Until January 31, 2026, businesses will have a 30-day opportunity to cure any alleged violations before penalties are imposed. The law notably does not include a private right of action, meaning individual consumers cannot file lawsuits for violations. In enforcement actions, the Attorney General’s office has the authority to recover costs associated with litigation. This enforcement framework emphasizes regulatory oversight while providing businesses an initial grace period to adapt to compliance requirements.