Minnesota Consumer Data Privacy Act Takes Effect July 31

Read Time: 5 minutes

Key Takeaways: The Minnesota Consumer Data Privacy Act (“MCDPA”) will become effective on July 31, 2025. While the MCDPA is similar to the state privacy laws of Washington, New Hampshire, and Maryland, it also includes unique features such as an exemption for small businesses.

Applicability and Scope

MCDPA applies to businesses operating within Minnesota or offering goods or services to its residents, provided the business:

  • during a calendar year, controls or processes personal data of at least 100,000 Minnesota consumers, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • derives more than 25% of gross revenue from the sale of personal data and processes or controls the personal data of at least 25,000 Minnesota consumers.

The MCDPA provides an exemption for small businesses as defined by the United States Small Business Administration. This mirrors the approach seen in Texas and Nebraska, although those state laws do not incorporate the 100,000-consumer threshold for applicability. Minnesota also aligns with Texas and Nebraska in that small businesses, regardless of the number of consumers’ data they handle, are prohibited from selling sensitive consumer data without prior consent.

Like all other state laws except for the CCPA, “consumer” does not include employees or business-to-business contacts. The MCDPA exempts data subject to HIPAA or GLBA but does not include entity-level exemptions for non-profits or entities subject to HIPAA or GLBA.

Requirements

The MCDPA outlines several responsibilities for data controllers:

  • Transparency Obligations:
    • Controllers must provide consumers with a privacy notice that details the types of personal data processed, sold, shared, or profiled by the controller, the duration for which personal data is held by the controller, and the rights consumers possess regarding their personal data. Notably, controllers must electronically notify consumers of material changes to the controller’s privacy policy and provide consumers with a reasonable opportunity to withdraw consent to any materially different processing activities.
    • The MCDPA also requires controllers to document and maintain a description of the policies and procedures they have adopted to comply with the MCDPA, including the name and contact information of the controller’s chief privacy officer or another individual responsible for compliance and a description of the controller’s policies and procedures for compliance with the specific requirements of the law.
  • Sensitive Data: Controllers may not process sensitive data without consumer consent, which may be revoked at any time.
    • Sensitive data is defined as personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data for the purpose of uniquely identifying an individual, data collected from a known child, and specific geolocation data.
    • In contrast to other state privacy laws which provide a precise geolocation radius, specific geolocation is defined as “information derived from technology, including but not limited to global positioning system level latitude and longitude coordinates or other mechanisms, that directly identifies the geographic coordinates of a consumer or a device linked to a consumer with an accuracy of more than three decimal degrees of latitude and longitude or the equivalent in an alternative geographic coordinate system, or a street address derived from the coordinates.”
  • Non-Discrimination: Controllers may not process personal data based on specific protected classifications (such as race or gender) in a manner that discriminates against consumers of that category in significant areas like housing, employment, and public accommodation.
  • Data Privacy and Protection Assessments: The MCDPA requires controllers to conduct these assessments prior to processing personal data for targeted advertising, processing sensitive data, selling personal data, processing for profiling, if the profiling presents an unreasonably foreseeable risk of unfair or deceptive treatment, financial, reputational, or physical injury, or a physical or other intrusion into a consumer’s private affairs, or processing that presents a heightened risk of harm.

Consumer Rights

Minnesota consumers have the following privacy rights:

  • Right to know and access personal data processed by a controller;
    • Like the Oregon Consumer Privacy Act, the MCDPA provides consumers with a right to request a list of specific third parties to whom the controller has disclosed the consumer’s personal data.
  • Right to correct inaccurate personal data;
  • Right to delete personal data;
  • Right to obtain a copy of the consumer’s personal data;
  • Right to opt out of the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling that has certain significant consequences; and
  • Right to review, understand, question, and correct how personal data has been profiled.
    • This right is unique to the MCDPA. Consumers have the right to review their data that has been used for profiling. If the decision was based on inaccurate data, consumers have the right to have the data corrected and the profiling decision reevaluated based upon the corrected data. Consumers also have the right to “question the result of the profiling, to be informed of the reason that the profiling resulted in the decision, and, if feasible, to be informed of what actions the consumer might have taken to secure a different decision and the actions that the consumer might take to secure a different decision in the future.”

The MCDPA requires controllers to honor opt-out requests sent through UOOMs.

Enforcement

The Minnesota Attorney General will enforce the MCDPA, who may initiate a civil action against businesses that breach this privacy regulation by imposing fines of up to $7,500 per violation. Businesses will be granted a 30-day right to cure any violations, which will expire on January 31, 2026.

Koley Jessen is committed to staying informed about developments related to state privacy laws and will offer guidance as new information emerges. If you are unsure about your business's compliance needs or the steps required to adhere to state privacy laws, please contact one of the specialists in Koley Jessen's Data Privacy and Security Practice Area for expert assistance.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

View All Insights
A close-up view of a modern bridge against a clear sky. The bridge features a sleek, curved design with an underside illuminated by warm sunlight, creating a contrast of light and shadow. The railing and cables are visible, adding to the architectural det
Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.