The Minnesota Consumer Data Privacy Act (MCDPA) is a new state law that gives Minnesota residents broad rights over their personal data and imposes significant obligations on businesses. Enacted on May 24, 2024, and taking effect July 31, 2025, the MCDPA will require companies to update their privacy practices to comply.

Scope and Applicability of the MCDPA

Who Must Comply: The MCDPA applies to companies that do business in Minnesota or target products/services to Minnesota residents, and that meet one of these thresholds in a calendar year:

• Control or process personal data of 100,000 or more Minnesota consumers (i.e. residents).
• Control or process data of 25,000 or more Minnesota consumers and derive over 25% of gross revenue from the sale of personal data.

Consumer Rights Under the MCDPA

The MCDPA gives Minnesota residents six rights over their personal data. Businesses covered by the law will need to support and uphold these consumer rights by providing transparent processes and timely responses:

Right to Access (Know)

Consumers can confirm whether a business (controller) is processing their personal data and accessing that data.

Right to Correct

Consumers can ask a business to correct inaccuracies in their personal data. If someone finds that some information held about them is wrong or outdated, they can request an update, and the business must correct it in its records and systems.

Right to Delete

Consumers have the right to delete personal data, the business has collected about them. Upon a verifiable deletion request, a company must delete the consumer’s personal information from its systems (and instruct its service providers to do so), unless a specific exemption applies (for example, if the data must be retained for legal compliance).

Right to Data Portability

Consumers can obtain a copy of their personal data in a portable, usable format. This means a business should be prepared to export the individual’s data (typically in a standard format like CSV or JSON) so the person can store it or transfer it to another service.

Right to Opt-Out of Certain Processing

Consumers can opt out of three specific types of data processing:

• Targeted Advertising: They can say no to their personal data being used for targeted ads (ads personalized based on tracking their behaviour across websites/apps).
• Sale of Personal Data: Users can opt out of having their data sold to third parties. “Sale” is defined broadly to include exchanges of data for money or other valuable considerations, so this covers not just literal sales but also some sharing arrangements.
• Profiling with Significant Effects: They can opt out of profiling that produces legal or similarly significant effects. In practice, this refers to the automated processing of personal data to evaluate or predict things about a person (for example, algorithmic decisions on credit, employment, insurance, etc.). If those automated decisions significantly impact the consumer, the consumer has a right to opt out of that profiling.

Right to Profiling Transparency and Challenge

In addition to opting out of profiling, Minnesota gives consumers a unique right to review and dispute automated decisions. A consumer can question and understand a profiling-based decision about them and even correct the data used in profiling.

Business Obligations and Compliance Requirements

Companies that fall under the law should be prepared to implement the following key requirements:

Privacy Notice Transparency

Controllers must publish a “reasonably accessible, clear, and meaningful” online privacy notice for consumers. The content of the privacy notice should include:

• Categories of personal data the company processes (e.g. contact info, purchase history, browsing data, etc.).
• Purposes for processing that data (why the data is collected and used).
• Consumer rights under MCDPA and how to exercise those rights (e.g. “You have the right to delete your data. Here’s how you can submit a request…”).
• Categories of third parties to whom the company discloses personal data (e.g. “we share your data with payment processors, advertising partners, etc.”).
• Data retention practices – how long the personal data is kept before deletion or anonymization.
• Contact information (an email address, web form, or other method) that consumers can use to reach the company with privacy inquiries or requests.

The MCDPA also specifically requires that if any material changes are made to the privacy notice, the business must notify consumers electronically (for instance, via email or an in-app notification) and give consumers a reasonable opportunity to withdraw consent to any new uses of their data that differ materially from what was originally disclosed.

Clear Opt-Out Mechanisms

If a business sells personal data, uses personal data for targeted advertising, or engages in significant profiling, the company’s privacy notice should disclose these activities, and a clear opt-out method must be provided.

Data Minimization

Businesses should limit the personal data they collect and process to what is adequate, relevant, and reasonably necessary in relation to the purposes disclosed to the consumer. You cannot collect data “just because” or for undefined future uses – if you’re collecting personal information, it should be for a specific, legitimate purpose that you have communicated to the user.

Data Security Safeguards

Companies must establish and maintain reasonable administrative, technical, and physical data security practices to protect personal data. The security measures should be appropriate to the volume and sensitivity of the data you hold.

Consent for Sensitive Data

The MCDPA places special protections on “sensitive data,” which includes information like racial or ethnic origin, religious beliefs, health diagnoses, sexual orientation, citizenship/immigration status, genetic or biometric identifiers, precise geolocation data, and personal data of children (under 13). Under the law, controllers cannot process sensitive personal data without obtaining the consumer’s affirmative consent.

Non-Discrimination and No Waiver of Rights

MCDPA explicitly prohibits companies from discriminating against consumers for exercising their privacy rights. This means you cannot deny goods or services, charge different prices, or provide a different level of quality to someone who opts out of data sales or exercises any right under the Act. The law does allow loyalty programs or discounts related to data collection as long as they are reasonable and not unjust, but you cannot outright punish a person for opting out.

Data Protection Assessments

The MCDPA requires companies to conduct Data Protection Assessments (essentially, privacy risk impact assessments) for certain high-risk data processing activities. Specifically, if your business engages in any of the following, you must perform and document an assessment :

• Targeted Advertising: Using personal data to target ads to consumers (especially via third-party ad networks or cross-site tracking).
• Selling Personal Data: Selling or exchanging personal data for valuable consideration.
• Processing Sensitive Data: Any collection or use of the defined sensitive personal data categories.
• Profiling with Risk: Automated profiling that presents a reasonably foreseeable risk of things like unfair or deceptive treatment of consumers, unlawful disparate impact (discrimination), invasion of privacy, or other substantial injury to consumers.

Enforcement and Penalties

The Minnesota Consumer Data Privacy Act will be enforced exclusively by the Minnesota Attorney General (AG). There is no private right of action, meaning individual consumers cannot sue businesses under this law on their own . Instead, enforcement will happen through the AG’s office, which can investigate and bring civil actions against companies for violations.

Civil Penalty: If a company fails to cure a violation (or after the cure period sunsets) and is found in violation of the MCDPA, the Attorney General may seek civil penalties of up to $7,500 per violation.

Actionable Steps to Prepare for MCDPA Compliance

With the effective date approaching, businesses should start moving now to meet MCDPA requirements. Below is a step-by-step guide for professionals to implement a compliance program for the Minnesota Consumer Data Privacy Act:

1. Appoint a Privacy Lead or Team: Designate a person (or committee) responsible for data privacy compliance. Given that MCDPA expects you to list a contact and maintain policies, having an internal point person such as a Chief Privacy Officer, Data Protection Officer, or Compliance Manager is important. This person/team will drive the following steps and be the liaison if any issues arise. Ensure leadership is aware of the upcoming law and supports compliance efforts.
   
   
2. Map and Inventory Your Data: Conduct a comprehensive data inventory and mapping of data flows in your organization. Know what personal data you collect about Minnesota residents, where it is stored, what you use it for, and with whom you share it.
   
   
3. Update Privacy Policies and Notices: Rewrite or update your external-facing privacy notice to include all MCDPA-required disclosures. Ensure it’s clearly posted on your website (with “Privacy” in the link name).
   
   
4. Implement Consumer Rights Request Procedures: Set up the infrastructure to handle requests from individuals exercising their rights.
   
   
5. Enable Opt-Out and Consent Mechanisms: In compliance with MCDPA’s consumer choice provisions:
   
   
   • Add a “Do Not Sell or Share My Data” / “Opt-Out of Targeted Ads” link on your website, if applicable. This link should be easily visible (footer or header) and take users to either opt-out confirmation or a page explaining their opt-out options.
     
     
   • Configure your systems to recognize and honor universal opt-out signals (like Global Privacy Control) as opt-out requests. Work with your web developers or third-party consent management platform to ensure that when a browser sends a “do not sell” signal, your site or ads respond accordingly by opting that user out of tracking/sales.
     
     
   • Implement consent prompts for sensitive data collection or use.
     
     
6. Strengthen Data Security: Evaluate your current security measures against the MCDPA’s standard of “reasonable” protections relative to your data’s sensitivity and volume.
   
   
7. Conduct Data Protection Assessments: For each processing activity that triggers the requirement (targeted ads, selling data, using sensitive data, high-risk profiling, etc.), perform a Data Protection Assessment and document it.
   
   
8. Update Contracts with Processors/Partners: Review your vendor and partner agreements, especially anywhere your company is the controller sharing data with a service provider (marketing firms, cloud providers, payment processors, etc.).
   
   
9. Train Your Team and Communicate: A compliant program isn’t effective if only one person knows about it. Train employees and service providers who handle personal data or consumer inquiries. Ensure customer support knows how to route privacy requests, IT knows about the deletion and opt-out mechanisms, marketing knows not to e-mail people who opted out of profiling, etc.
   
   
10. Monitor and Maintain Compliance: Once the MCDPA is in effect, monitor for any guidance from the Minnesota AG on enforcement priorities or rules (for instance, if the AG issues regulations or explanations, which the law authorizes some rulemaking). Keep an eye on any updates to the law or new interpretations. Plan to periodically review your privacy program – e.g., annual audits of your data inventory, security testing, and perhaps refresh your data protection assessments if you significantly change a data practice. Maintain all required documentation (request logs, assessment reports, training materials) so you can demonstrate compliance if audited.

Conclusion

With the effective date of July 31, 2025, on the horizon, now is the time to get your privacy practices in compliance. Treat your Minnesota privacy compliance project as an opportunity to enhance your data governance overall. Not only will this keep you on the right side of the law (and avoid fines up to $7,500 per violation), but it can also build trust with your customers who increasingly care about how their data is handled.