Overview
The Minnesota Consumer Data Privacy Act (MCDPA) is a comprehensive state privacy law that grants Minnesota residents expanded rights over their personal data while imposing strict compliance requirements on businesses. Signed into law on May 24, 2024, the MCDPA takes effect on July 31, 2025.
Minnesota’s privacy law is modeled after Connecticut’s CTDPA and Colorado’s CPA, making it consumer-friendly while still providing businesses with clear compliance obligations.
Who Must Comply?
The MCDPA applies to businesses that operate in Minnesota or target Minnesota residents and meet one of the following criteria:
✔ Process personal data of at least 100,000 Minnesota consumers annually
✔ Process personal data of at least 25,000 Minnesota consumers and derive over 25% of gross revenue from selling personal data
Exemptions:
The law does not apply to:
🚫 Government agencies
🚫 Nonprofits
🚫 Financial institutions subject to GLBA
🚫 HIPAA-covered entities
🚫 Higher education institutions
Key Consumer Rights Under MCDPA
✔ Right to Access – Consumers can request a copy of their personal data.
✔ Right to Correct – Consumers can request corrections to inaccurate personal data.
✔ Right to Delete – Consumers can request the deletion of personal data.
✔ Right to Data Portability – Consumers can receive their data in a portable format.
✔ Right to Opt-Out – Consumers can opt out of:
- Targeted advertising
- Sale of personal data
- Automated profiling that affects legal or financial decisions
📌 Universal Opt-Out Mechanism Required (2026) – Businesses must recognize Global Privacy Control (GPC) signals starting in 2026.
Business Compliance Requirements
✔ Opt-In Consent for Sensitive Data – Businesses must obtain explicit consumer consent before processing:
📌 Racial/ethnic origin
📌 Religious beliefs
📌 Biometric data
📌 Health conditions
📌 Children’s data
✔ Transparency & Privacy Notices – Companies must provide clear privacy policies detailing data collection and usage.
✔ Data Protection & Security – Businesses must implement reasonable security safeguards to protect consumer data.
✔ Data Protection Assessments (DPA) – Businesses must conduct risk assessments for:
📌 Targeted advertising
📌 Data sales
📌 AI-driven decision-making
Real-World Enforcement Cases
The Minnesota Attorney General is responsible for enforcing the MCDPA, with penalties of up to $7,500 per violation.
📌 30-Day Cure Period Until 2026 – Businesses have 30 days to fix compliance issues before facing fines, but this grace period expires in 2026.
Since MCDPA does not take effect until July 31, 2025, major enforcement cases have not yet occurred, but businesses failing to implement opt-out mechanisms or lacking proper security protections are expected to face early enforcement actions.
📌 Comparison with Other State Privacy Laws
The Minnesota MCDPA is stronger than many other state laws due to:
✅ Lower Applicability Threshold (25% revenue from data sales) – More businesses must comply than in Virginia and Kentucky.
✅ Universal Opt-Out Mechanism Required (2026) – Businesses must honor automated privacy requests.
✅ 30-Day Cure Period Expiring (2026) – After 2026, violations will result in immediate fines.
Future of MCDPA Regulation
📌 Stronger enforcement expected in 2026, particularly for AI-driven profiling.
📌 Potential expansion of consumer rights in future amendments.
📌 Possible updates to align with federal privacy laws if enacted.Minnesota’s MCDPA sets a new standard for consumer privacy, with strict enforcement, universal opt-out requirements, and broad applicability.
