Skip to main content

How to Comply with the Minnesota Consumer Data Privacy Act?

By Safna January 9, 2025

Expert reviewed

How to Comply with the Minnesota Consumer Data Privacy Act?

Minnesota debuted in the US privacy landscape by enacting the Minnesota Consumer Data Privacy Act. The law received the governorā€™s approval in May 2024 and will take effect in 2025.

Official text: Minnesota Consumer Data Privacy Act

Effective date: July 31, 2025

Enforcement Agency: Minnesota Attorney General

Penalty: Civil penalties of up to $7500

What is the Minnesota Consumer Data Privacy Act (MCDPA)? 

As data privacy concerns escalate, states across the US are enacting privacy laws. Minnesota has recently entered this realm. Though it shares similarities with other laws, such as the New Hampshire privacy law, it also introduces unique provisions. 

The law grants several rights to consumers, including the right to confirm and opt-out, but the one that stands out is the right to question the results of profiling. Along with privacy rights, Minnesota law enforces stringent obligations upon businesses.

Who does the Minnesota Consumer Data Privacy Act apply to?

The Minnesota privacy law applies to businesses operating within the state or targeting products/services to Minnesota residents, provided they fulfil any of the following criteria in a year:

  • Control/process the personal data of 100,000 consumers or more, except for completing payment transactions.
  • Control/process the personal data of 25,000 consumers or more and gain more than 25% of revenue from the sale of personal data.

The law also extends its scope to technology providers as defined under the Education record law.

Who does the Minnesota Consumer Data Privacy Act not apply to?

MCDPA grants exemptions to certain entities such as government entities, federally recognized Indian tribes, covered entities and protected information under HIPAA, personal data covered by the Gramm-Leach-Bliley Act, etc.

Apart from these standard exemptions, the law also exempts small businesses (except for sensitive data sale provisions), and non-profit organizations that detect and prevent insurance-related fraudulent acts.

What is personal data under the Minnesota Consumer Data Privacy Act?

Personal data under Minnesota privacy law aligns with definitions in other US privacy laws. It is any information that is linked or is reasonably linkable to an identified or identifiable person.

Personal data does not include publicly available information or de-identified data

Publicly available information includes any information available through government records/widely distributed media or the controller has a reasonable basis to believe that it has been lawfully made available to the general public.

What is sensitive data under the Minnesota Consumer Data Privacy Act?

The following categories of personal data are further categorized as sensitive under Minnesota privacy law and require user consent before their processing:

  • Personal data revealing:
    • Racial or ethnic origin
    • Religious beliefs
    • Mental/physical health condition or diagnosis
    • Sexual orientation
    • Citizenship/immigration status
  • Processing of biometric/genetic information to identify a person
  • Personal data of an individual known to be a child
  • Specific geolocation data

What are the consent requirements under the Minnesota Consumer Data Privacy Act?

Minnesotaā€™s consent requirements are similar to most US privacy laws. 

Consent is defined as a freely given, specific, informed and unambiguous indication of the consumerā€™s wishes by which the consumer signifies agreement to the processing of personal data relating to the consumer.

Do not rely on acceptance of general or broader terms for consent. Likewise, hovering over, muting, pausing or closing the consent banner/ a piece of such content will not constitute consent.

Do not obtain consent using dark patterns. Later in this blog, we will thoroughly examine the circumstances where businesses are required to obtain consent.

What are the privacy notice requirements under the Minnesota Consumer Data Privacy Act?

The law demands stringent and elaborate privacy notice standards. Let us take a look at what information must be provided in your privacy notice.

  • Categories of personal data processed by your business
  • The specific purposes of processing
  • Consumer rights and how they can be exercised including the appeal process
  • Categories of personal data your business sells or shares with third parties
  • Categories of such third parties to whom the data is sold or shared with
  • Controllerā€™s contact information including an active email address or other online mechanisms
  • Controller’s retention policy of personal data
  • The last update date of the privacy notice
  • If personal data is used for targeted advertising, profiling, or sale, disclose that along with an opt-out link such as “Your Opt-Out Rights” or “Your Privacy Rights.

The privacy notice must be easily accessible and made available in all languages in which your business provides products or services to which the notice applies.

What are the obligations of businesses under the Minnesota Consumer Data Privacy Act?

Businesses to whom the Minnesota law applies must comply with the following obligations:

Transparency

As discussed already, businesses must conspicuously provide an easily understandable privacy policy to consumers. Ensure that they are accessible and useable by persons with disabilities.

Furthermore, inform individuals using any reasonable electronic means about any changes to the privacy policy and allow them to withdraw consent if required. The privacy notice must be accessible via a clear “privacy” link on the controller’s website home page, app store page, or download page. For mobile applications, it should also be available in the app’s settings menu or an equally visible location.

Data minimization

Limit the collection of personal data to what is adequate, relevant or necessary to fulfil the disclosed purpose to the consumer.

Purpose limitation

Businesses cannot use the collected data for any purposes other than those disclosed to the consumer unless they consent to it.  It is also important to note that you cannot retain personal data that is no longer relevant or necessary for its original purpose unless required by law.

Security safeguards

Ensure that you have implemented appropriate technical, physical, and administrative security measures proportional to the volume and nature of the data to safeguard the confidentiality of personal data under your control. 

Consent

Businesses cannot process sensitive data without the consumerā€™s consent. For children below 13, obtain verifiable parental consent in adherence to the COPPA. To sell sensitive data, all businesses including small businesses must obtain consumer consent.

Furthermore, consent is necessary for processing the personal data of individuals between 13 and 16 years of age for targeted advertising, sale and profiling.

Consumers have the right to revoke their consent at any time. Therefore, you must provide convenient consent withdrawal mechanisms. Upon revocation, stop processing the personal data within 15 days.

Boost user trust with custom
cookie banners

Save time and ensure compliance with customisable banners tailored to global privacy laws

Start your free trial now!

14-day free trialCancel anytimeTrusted by 1M+ businesses

Non-discrimination

Minnesota law does not permit discrimination against consumers based on their exercise of rights. But that is not all; there is more you must be cautious of. 

Businesses cannot process personal data in a discriminatory manner based on race, colour, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, income source, or disability when offering housing, employment, credit, education, goods, privileges, advantages or public accommodations.

Data privacy policies

Minnesota law creates a unique requirement for businesses to document and maintain a description of policies and procedures to prove their compliance with the obligations imposed by the law. The policy must contain along with the data protection strategies, the name and contact information of the chief privacy officer.

Data privacy and protection assessments

Businesses must conduct assessments for the processing of data involving high risks such as sensitive data, personal data used for profiling, etc. These assessments must be kept confidential.

Contractual relationship

Have a contractual relationship with the processors and third parties involved in processing and ensure their compliance with the law. The contract must determine the nature and purpose of processing, its duration, the types of data processed, etc.

Global opt-outs

The law requires businesses to recognize universal opt-out signals.

Response to consumer requests

Respond to consumer requests within 45 days and if necessary this can be extended to another 45 days after promptly notifying the consumer.

Businesses must also fulfil the request for information by the customer free of charge twice annually per person.

Controllers cannot directly disclose the following in response to a consumer request:

  • Social security numbers
  • Driver’s licence numbers or other government identifiers
  • Financial account numbers
  • Health insurance numbers or medical identification numbers
  • Account passwords, security questions or answers
  • Biometric data.

Appeal 

Consumers must establish a process for the consumer to appeal against the refusal of a consumer request. Respond to the appeal within 45 days, which can be extended to another 60 days if necessary.

What are the rights of businesses under the Minnesota Consumer Data Privacy Act?

The Minnesota privacy law empowers consumers with the following rights:

Right to confirm

Consumers have the right to confirm whether the business is processing their personal data and access the categories of such data being processed.

Right to correct

The law also allows consumers to correct any inaccuracies in their personal data.

Right to delete

Consumers can request the deletion of their personal data.

Right to portability

Consumers can obtain the personal data provided by them to the controller in a portable and readily usable format.

Right to opt-out

Consumers have the right to opt out of:

  • Targeted advertising
  • Profiling
  • Sale of personal data

Right to question 

This unique right allows consumers to question the results of profiling and to be informed of the reasons for such a decision

Additionally, they can also review the personal data used for profiling. If it comes out that the profiling decision was based on incorrect information they can correct the data and request reevaluation.

Right to obtain 

Consumers can obtain the list of specific third parties with whom their personal data is shared. If the controller does not keep the records specific to the consumer, then he can provide the list of third parties to whom he has shared any consumerā€™s personal data.

Enforcement of the Minnesota Consumer Data Privacy Act

The Attorney General of Minnesota has the exclusive enforcement authority of the law. The law does not grant a private right of action to the consumers.

The law gives a cure provision that expires on January 31, 2026. Before initiating legal action, the AG will provide a warning letter and 30 days to cure the violation. If the violation continues after the cure period, legal action might arise.

The law prescribes a civil injunction and a penalty of $7500 for a single violation.

Checklist: Minnesota Consumer Data Privacy Act compliance

  • Practice data minimization and purpose limitation
  • Obtain prior consent to process and sell sensitive data
  • Do not process the personal data of consumers aged 13 to 16 for targeted advertising, profiling and sale without prior consent
  • Adhere to COPPA regulations while processing childrenā€™s personal data (below 13 years)
  • Provide opt-out mechanisms for targeted advertising, sale of personal data and profiling
  • Recognize global opt-outs
  • Provide a clear and accessible privacy notice
  • Document and maintain descriptions and policies to demonstrate compliance
  • Respond to consumer requests promptly
  • Have a contractual relationship with processors and third parties
  • Do not discriminate against consumers 
  • Conduct data protection impact assessments

FAQ on Minnesota privacy law

Does Minnesota have a privacy law?

Yes, the Minnesota governor approved the Consumer Data Privacy Act in May 2024 and will be in effect from July 2025. The law requires businesses to comply with obligations such as data minimization, purpose limitation, privacy notice, consent requirements, etc. Although the law is similar to most US privacy laws, some provisions make the law stand apart.

What are the rights of consumers?

The Minnesota law confer upon consumers the right to confirm, correct, delete, portability, opt-out, question the results of profiling and the right to obtain the list of third parties with whom personal data is shared.

Photo of Safna

Safna

Safna Y Yacoob is a lawyer turned data privacy writer. At CookieYes, she transforms complex privacy regulations into actionable insights for businesses. On off-hours, find her brightening days with one-liners, spinning playlists, or watching feel-good movies.

Keep reading

Featured image of 7 Steps to Enhance Compliance Management for Your Business

Privacy Laws

7 Steps to Enhance Compliance Management for Your Business

Have you thought about compliance as a growth driver? For most businesses, it is just …

Read more
Featured image of Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Consent

Cookiebot vs OneTrust vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Onetrust and CookieYes to find the one that best suits your business's consent management needs.

Read more
Featured image of Iubenda vs Osano vs CookieYes: Which One Is The Best?

Iubenda vs Osano vs CookieYes: Which One Is The Best?

Our detailed comparison will explore features, pricing, and privacy compliance functionality, guiding you through the nuances of Cookiebot, Iubenda, and CookieYes to find the one that best suits your business's consent management needs.

Read more

Show all articles