Dive into the Minnesota Consumer Data Privacy Act (MCDPA) with our detailed guide. Learn about compliance requirements, consumer rights, opt-out mechanisms, and penalties for non-compliance.
The Minnesota legislature recently passed the Minnesota Consumer Data Privacy Law, which expanded the number of US states with consumer privacy legislation to nineteen. This new law requires companies to disclose their data collection and usage practices, and defines consumers' obligations to understand and consent to how their personal information is being used.
Explore more privacy compliance insights and best practices
The law also includes provisions from the Elkins Act, which permit consumers to request businesses disclose the specific pieces of personal information they have collected. Companies have an obligation to respond to these requests and define the data they have collected. Overall, the Minnesota law aims to empower consumers with more transparency and control over how their personal data is being utilized.
The Minnesota Consumer Data Privacy Act (MCDPA) is the first-ever consumer privacy law in the state, reflecting a growing emphasis on data protection and consumer rights.
Set to take effect on July 31, 2025, this legislation mandates that businesses handling consumer data adhere to stringent privacy standards, similar to those set out in the California Consumer Privacy Act (CCPA) and the others that followed.
The Act provides an extended compliance period for nonprofit corporations and postsecondary institutions. These organizations are not required to comply with the new regulations until July 31, 2029, giving them additional time to align their practices with the law's requirements and implement the necessary data protection measures.
The bill applies to legal entities that conduct business in the state or produce products or services targeted to Minnesota residents and that either:
The entities covered with sector-specific privacy laws are exempt.
The ban on sales of health data without consent applies to all businesses regardless of these thresholds.
Personal data is any data that could identify an individual, directly or indirectly.
Sensitive data, on the other hand includes:
The Minnesota data privacy legislation requires controllers to provide consumers with a privacy notice explaining:
The privacy policy must be available on the website through a link consisting the word "privacy".
In general, you don't need consent for data collection and processing in Minnesota. You just need to allow consumers to opt-out or some kinds of processing.
There are exceptions, however, in which yiou must obtain consent before collection or processing of the data. That includes processing sensitive personal information and secondary use of already collected data.
In all other cases, you don't need to ask.
The Minnesota comprehensive data privacy legislation:
Minnesota residents have the following privacy rights:
The last one - the right to review and question how personal data has been profiled is unique to Minnesota.
Controllers have a 45-day time limit for complying with a request to exercise consumer rights.
Unlike other US state privacy laws, this one requires a controller to establish an internal appeal process if a consumer’s request to exercise a right is denied and sets a 45-to-105-day time limit for appeals. If a consumer appeal is denied, the controller must provide information on how to file a complaint with the Minnesota Attorney General.
There are two ways in which you must allow consumers to opt-out:
As mentioned above, consumers can opt out of targeted advertising, profiling, and sales of their data.
The Act mandates that controllers develop comprehensive "data privacy and protection assessments," which must detail the specific policies and procedures implemented to ensure compliance with the law. These assessments are required to cover various aspects of data handling, including the methods for collecting, storing, and using personal information, as well as the safeguards in place to protect consumer data from breaches and misuse.
Controllers must include detailed descriptions of their data protection measures, risk management strategies, and mechanisms for ensuring ongoing compliance with the Act’s provisions.
Furthermore, the Act grants the attorney general the authority to request copies of these assessments in connection with ongoing investigations.
The Act empowers the attorney general to initiate a civil lawsuit under their existing authority against any controller or processor found in violation of the law. Violators may face substantial civil penalties, with fines reaching up to $7,500 for each individual violation.
Before penalties, the Attorney General has to give a warning letter to the violator with a period to comply. Only if the entity fails to cure the violation within the provided timeframe can the attorney general proceed with filing a civil lawsuit.
