Minnesota Consumer Data Privacy Act (MCDPA): Guide to Compliance

The Minnesota legislature recently passed the Minnesota Consumer Data Privacy Law, which expanded the number of US states with consumer privacy legislation to nineteen. This new law requires companies to disclose their data collection and usage practices, and defines consumers' obligations to understand and consent to how their personal information is being used.

The law also includes provisions from the Elkins Act, which permit consumers to request businesses disclose the specific pieces of personal information they have collected. Companies have an obligation to respond to these requests and define the data they have collected. Overall, the Minnesota law aims to empower consumers with more transparency and control over how their personal data is being utilized.

What is the Minnesota Consumer Data Privacy Act?

The Minnesota Consumer Data Privacy Act (MCDPA) is the first-ever consumer privacy law in the state, reflecting a growing emphasis on data protection and consumer rights.

Set to take effect on July 31, 2025, this legislation mandates that businesses handling consumer data adhere to stringent privacy standards, similar to those set out in the California Consumer Privacy Act (CCPA) and the others that followed.

The Act provides an extended compliance period for nonprofit corporations and postsecondary institutions. These organizations are not required to comply with the new regulations until July 31, 2029, giving them additional time to align their practices with the law's requirements and implement the necessary data protection measures.

Does the MCDPA apply to my business?

The bill applies to legal entities that conduct business in the state or produce products or services targeted to Minnesota residents and that either:

• During a calendar year, control or process the personal data of at least 100,000 consumers (excluding payment transaction data) or
• Derive over 25% of gross revenue from the sale of personal data and process the personal data of at least 25,000 consumers.

The entities covered with sector-specific privacy laws are exempt.

The ban on sales of health data without consent applies to all businesses regardless of these thresholds.

What is personal data and sensitive data under the Minnesota privacy law?

Personal data is any data that could identify an individual, directly or indirectly.

Sensitive data, on the other hand includes:

• Health data
• Precise geolocation data
• Children data
• Data relted to ethnica origin, gender, race, sexual oritentation, etc.

Do we need a Minnesota privacy policy?

The Minnesota data privacy legislation requires controllers to provide consumers with a privacy notice explaining:

• What categories of personal data being processed;
• The purposes for which the personal data is processed;
• The categories of personal data a controller share with third-parties, if any;
• The categories of third parties with whom the controller shares personal data; and
• How and where consumers may exercise their rights to view, correct, and delete personal data, as well as how a consumer can appeal a controller’s actions or inactions in response to a consumer’s request.

The privacy policy must be available on the website through a link consisting the word "privacy".

Do we need to obtain consent for data processing?

In general, you don't need consent for data collection and processing in Minnesota. You just need to allow consumers to opt-out or some kinds of processing.

There are exceptions, however, in which yiou must obtain consent before collection or processing of the data. That includes processing sensitive personal information and secondary use of already collected data.

In all other cases, you don't need to ask.

What are the duties for businesses under the MCDPA?

The Minnesota comprehensive data privacy legislation:

• Limits a controller’s ability to collect and use personal data
• Requires appropriate data security practices
• Prohibits the processing of sensitive data without the consumer's consent, which may be revoked
• For children between 13 and 16, prohibits targeted advertising and prohibits the sale of personal data without consent
• Bans discrimination in the data processing and profiling
• Prohibits contracts that seek to have consumers waive their rights under the act
• Requires contracts with service providers (processors)
• Maintain data inventory
• Requires controllers to document and maintain a description of the policies and procedures that controller has adopted to comply
• Conduct privacy impact assessment where needed.

What are the consumer privacy rights of Minnesota residents?

Minnesota residents have the following privacy rights:

• Right to know and access personal data processed by a controller;
• Right to correct inaccurate personal data;
• Right to delete personal data;
• Right to obtain a copy of the consumer’s personal data;
• Right to opt out of: the processing of personal data for purposes of targeted advertising; the sale of personal data; or profiling that has certain significant consequences; and
• Right to review, understand, question, and correct how personal data has been profiled.

The last one - the right to review and question how personal data has been profiled is unique to Minnesota.

Controllers have a 45-day time limit for complying with a request to exercise consumer rights.

Unlike other US state privacy laws, this one requires a controller to establish an internal appeal process if a consumer’s request to exercise a right is denied and sets a 45-to-105-day time limit for appeals. If a consumer appeal is denied, the controller must provide information on how to file a complaint with the Minnesota Attorney General. 

What are the opt-out requirements for businesses?

There are two ways in which you must allow consumers to opt-out:

• Opt-out link on the website
• Universal opt-out mechanisms, such as the Global Privacy Controls

As mentioned above, consumers can opt out of targeted advertising, profiling, and sales of their data.

Do we need to conduct privacy impact assessments?

The Act mandates that controllers develop comprehensive "data privacy and protection assessments," which must detail the specific policies and procedures implemented to ensure compliance with the law. These assessments are required to cover various aspects of data handling, including the methods for collecting, storing, and using personal information, as well as the safeguards in place to protect consumer data from breaches and misuse.

Controllers must include detailed descriptions of their data protection measures, risk management strategies, and mechanisms for ensuring ongoing compliance with the Act’s provisions.

Furthermore, the Act grants the attorney general the authority to request copies of these assessments in connection with ongoing investigations.

Enforcement and penalties for MCDPA

The Act empowers the attorney general to initiate a civil lawsuit under their existing authority against any controller or processor found in violation of the law.  Violators may face substantial civil penalties, with fines reaching up to $7,500 for each individual violation.

Before penalties, the Attorney General has to give a warning letter to the violator with a period to comply. Only if the entity fails to cure the violation within the provided timeframe can the attorney general proceed with filing a civil lawsuit.