On May 24, 2024, Minnesota Governor Tim Walz signed the Minnesota Consumer Data Privacy Act (MCDPA) into law, establishing Minnesota as the 18th U.S. state with a comprehensive consumer privacy framework. The MCDPA took effect on July 31, 2025, and imposed broad new obligations on businesses handling Minnesota residents' personal data. Businesses operating nationally should have assessed their compliance readiness in advance, particularly those already managing multi-state privacy compliance.
While the MCDPA shared similarities with other state privacy laws—such as those in Colorado and California—it introduced several distinctive features that merited close attention, especially for companies in advertising, health-adjacent services, and AI/data analytics sectors.
Scope and Applicability
The MCDPA applied to entities conducting business in Minnesota or targeting Minnesota residents and meeting either of the following thresholds:
- Controlled or processed personal data of 100,000 or more Minnesota consumers annually; or
- Controlled or processed personal data of 25,000 or more Minnesota consumers and derived more than 25% of gross revenue from the sale of personal data.
The law explicitly excluded state agencies, financial institutions governed by GLBA, covered entities under HIPAA, and small businesses as defined by the Small Business Administration. However, it applied to nonprofits beginning July 31, 2029, making Minnesota one of the few states to eventually regulate nonprofit organizations under privacy law.
Consumer Rights
The MCDPA granted Minnesota residents a robust set of rights over their personal data, including:
- Access: To confirm whether a controller was processing personal data and to access such data.
- Correction: To correct inaccuracies in their personal data.
- Deletion: To request deletion of personal data provided by or collected about them.
- Portability: To obtain a portable copy of their data.
- Opt-Out Rights: To opt out of:
- Targeted advertising;
- The sale of personal data;
- Profiling in furtherance of decisions that produce legal or similarly significant effects.
- Questioning Profiling Decisions: To obtain an explanation for profiling-based decisions, pursue alternative outcomes, and correct inaccurate data used in such profiling.
- Third-Party Disclosure Insight: To receive a list of specific third parties to whom data had been disclosed—or a general ledger if specific identification was not feasible.
Controllers were required to respond to consumer rights requests within 45 days, with one 45-day extension permitted. Notably, the Act required businesses to provide appeal rights for denied requests and respond in "plain language" to consumers regarding appeal outcomes.
Business Duties and Compliance Requirements
The MCDPA imposed extensive obligations on data controllers and processors, including:
- Data Minimization: Collect only data that was adequate, relevant, and reasonably necessary.
- Purpose Limitation: Process data solely for purposes disclosed in the privacy notice.
- Risk Assessments: Required for high-risk processing activities, such as profiling, use of sensitive data, or selling data.
- Contractual Requirements: Controllers had to enter into contracts with processors that clearly allocated responsibilities and included obligations relating to security, breach notification, and cooperation with risk assessments.
- Privacy Notices: Had to be accessible, understandable, and include details on processing purposes, data categories, sharing practices, and consumer rights.
- Chief Privacy Officer: Businesses had to designate an individual to oversee compliance.
- Data Inventory and Policies: Organizations were required to maintain a documented data inventory and written policies to govern personal data handling.
A particularly notable provision: A separate, clear privacy notice had to be provided at the point of collection when sensitive data was being processed in an unexpected or non-obvious manner.
Restrictions on Data Use and Sale
Minnesota's law imposed strict limitations on how personal data—especially sensitive data—could be used:
- Consent Required for Sensitive Data Sale or Targeted Ads: Businesses had to obtain opt-in consent to sell or use sensitive data for targeted advertising.
- Broad Definition of Sensitive Data: Included data revealing racial or ethnic origin, religious beliefs, mental or physical health, precise geolocation, sexual orientation, immigration status, and known child status.
- Ban on Dark Patterns: Consent had to be freely given and not obtained through user interface designs that manipulated consumer behavior or impaired autonomy.
Moreover, businesses were prohibited from using personal data in materially inconsistent ways with the original purpose of collection unless new consent was obtained.
Unique and Noteworthy Provisions
- Non-Discrimination Clause: Prohibited businesses from penalizing consumers for exercising their rights—such as sending warning messages that opting out might result in degraded service.
- Minor Protections: Businesses had to obtain affirmative opt-in consent before processing data for targeted advertising or selling data of consumers known to be under 17.
Enforcement and Rulemaking
The Minnesota Attorney General had exclusive enforcement authority under the MCDPA. The Act did not provide a private right of action. Violations were subject to civil penalties of up to $7,500 per violation.
Importantly, the MCDPA included a grace period for enforcement: Until January 31, 2026, the Attorney General was required to issue a cure notice and allow 30 days for correction before initiating enforcement.
While the Act did not authorize administrative rulemaking at the time of enactment, it included language hinting at the potential for future regulatory development.
What Should Businesses Have Done?
To prepare for the MCDPA's 2025 effective date, businesses should have taken the following steps:
- Conduct Data Mapping and Gap Assessments: Evaluated current data practices against MCDPA requirements, particularly consumer rights and consent mechanisms.
- Update Contracts with Vendors and Processors: Ensured data processing agreements included all statutorily required terms.
- Revise and Publish Privacy Notices: Ensured public-facing disclosures met the granularity and accessibility standards under the Act.
- Develop Consumer Rights Infrastructure: Built user interfaces for rights requests, including universal opt-out signals like Global Privacy Control (GPC).
- Assess Profiling and AdTech Practices: Identified profiling activities and implemented opt-out and challenge mechanisms.
- Train Staff: Updated internal training materials to reflect MCDPA duties, rights, and enforcement timelines.
- Designate a Chief Privacy Officer: Appointed a qualified person to oversee privacy program implementation and compliance.
The CommLaw Group Can Help!
The CommLaw Group's Privacy, AdTech, and Telecommunications Compliance teams continue to monitor the MCDPA and its interaction with other state privacy laws. We offer practical support for regulatory gap analysis, contract updates, consumer-facing notices, and cross-jurisdictional privacy strategy.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
